[CentOS] which commands do you use to SSL certify your own server?

M. Fioretti mfioretti at mclink.it
Fri Jun 15 15:15:23 UTC 2007

On Fri, Jun 15, 2007 06:32:42 AM -0700, Paul Heinlein

> You don't need a CA to create a single self-signed certificate.

I see. Actually, this is just one of those things that is not clear at
all from the online docs I found.

> >1) cd /usr/share/ssl
> >2) modify openssl.cnf to have your Common Name and other parameters
> >3) run:
> >     ./CA -newca
> >     ./CA -newreq-nodes
> >4) move the private key from the .pem file to a separate file
> >5) put the cert and key file in a location where Postfix,
> >6) Dovecot and Apache can all use them
> >7) configure each of those servers to use the certificate
> >
> >What have I missed?
> 1) Run
> openssl req \
>   -x509 -nodes -days 365 \
>   -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
>   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

this would be the one-command version of running CA -newreq -nodes,
after placing the right values of C, ST, L, CN, etc... in openssl.cnf,
right? Just to be sure that I have understood how all the pieces come
from (as I said, I won't be able to play on the server before

Still to be 100% sure of what we are saying: the command above
self-signs keys and certificate and puts both of them in the
mycert.pem file, correct?

> Also, if you're doing this on a private server, you can keep the
> cert and the key in the same file.

I assume by "private" here you mean "a server which is only used by
the members of a closed organization (business, charity, whatever...)
but is not used as an ISP to the public", right?

> I'd just give it 0600 perms no matter where you put it.

0600 and ownership root, of course?

Sorry for the repeated questions, but I must say that ssl is one of
the fields where the available docs are less clear to
non-professionals. It seems to take a lot of effort to just figure out
which are the right questions to ask...

Thanks again in advance for any feedback,


More information about the CentOS mailing list