[CentOS] which commands do you use to SSL certify your own server?

Paul Heinlein heinlein at madboa.com
Fri Jun 15 15:56:24 UTC 2007


On Fri, 15 Jun 2007, M. Fioretti wrote:

>> 1) Run
>>
>> openssl req \
>>   -x509 -nodes -days 365 \
>>   -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
>>   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
>
> this would be the one-command version of running CA -newreq -nodes,
> after placing the right values of C, ST, L, CN, etc... in openssl.cnf,
> right?

Right.

> Still to be 100% sure of what we are saying: the command above 
> self-signs keys and certificate and puts both of them in the 
> mycert.pem file, correct?

Right.

>> Also, if you're doing this on a private server, you can keep the 
>> cert and the key in the same file.
>
> I assume by "private" here you mean "a server which is only used by 
> the members of a closed organization (business, charity, 
> whatever...) but is not used as an ISP to the public", right?

Right. I use "private" in the sense of "I trust that users with login 
privileges to this machine won't abuse it or intentionally try to 
access data that's off-limits to them."

>> I'd just give it 0600 perms no matter where you put it.
>
> 0600 and ownership root, of course?

Yes.

> Sorry for the repeated questions, but I must say that ssl is one of 
> the fields where the available docs are less clear to 
> non-professionals. It seems to take a lot of effort to just figure 
> out which are the right questions to ask...

I agree whole-heartedly. Building and maintaining an infrastructure to 
support SSL-enabled applications is a daunting task, and quite 
different from learning SSL programming or theory. Anyone looking to 
write for O'Reilly could probably pitch such a title! :-)

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com



More information about the CentOS mailing list