Fedora 40: Create SSL Certificate (Self Signed)

Introduction

Creating a self-signed SSL certificate in Fedora 40 is an essential task for securing communications between clients and servers. SSL certificates encrypt data and verify the identity of the server to the client, providing a layer of security for web applications and services.

Overview Create SSL Certificate (Self Signed)

Navbar

• Overview
• Create SSL Certificate (Self Signed)

Overview

What

An SSL (Secure Sockets Layer) certificate is a digital certificate that provides authentication for a website and enables an encrypted connection. A self-signed SSL certificate is one that is not issued by a trusted certificate authority but is created and signed by the individual or organization using it.

Who

This guide is intended for system administrators, developers, and IT professionals who need to create and use self-signed SSL certificates on Fedora 40 for development, testing, or internal purposes.

Where

You can create a self-signed SSL certificate on any machine running Fedora 40, whether it is a server, desktop, or virtual machine, particularly in environments where encrypted communications are necessary.

When

Create a self-signed SSL certificate when you need to secure communications between a client and server during development or testing phases, or in internal environments where a trusted certificate authority is not required.

Why

Using a self-signed SSL certificate in Fedora 40 has several pros and cons:

Pros	Cons
Cost-effective since it does not require purchasing from a trusted CA. Easy to create and use for development and testing purposes. Provides encryption for secure communication.	Not trusted by default in most browsers and clients. May require manual configuration to accept the certificate. Not suitable for production environments where trust is critical.

How

Follow these steps to create a self-signed SSL certificate in Fedora 40:

Step 1	Open the terminal.
Step 2	Install OpenSSL if not already installed: sudo dnf install openssl
Step 3	Generate a private key: openssl genpkey -algorithm RSA -out server.key
Step 4	Create a certificate signing request (CSR): openssl req -new -key server.key -out server.csr
Step 5	Generate the self-signed certificate: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Step 6	Configure your web server to use the newly created SSL certificate.

Consequences

Creating and using a self-signed SSL certificate can have several consequences:

Positive	Provides encryption for secure communication. Cost-effective solution for development and testing. Quick and easy to set up without needing external approval.
Negative	Not trusted by default in most browsers, leading to warnings. Requires additional configuration to accept the certificate. Not suitable for production environments due to trust issues.

Conclusion

Creating a self-signed SSL certificate in Fedora 40 is a practical approach for securing communications in development and testing environments. While it offers a cost-effective and quick solution, it is important to understand its limitations and not use it in production environments where security and trust are paramount.

Create SSL Certificate

Create Self Signed SSL Certificate by yourself. It had better to use Self Signed Certificate on the environment for the purpose of testing, development, and so on, not recommended to use on production System.

          
[root@bizantum ~]# vi /etc/ssl/openssl.cnf
# add to last line
# section name is any name you like
# DNS:(this server's hostname)
# if you set multiple hostname ot domainname, set them with comma separated
# ⇒ DNS:dlp.bizantum.lab, DNS:www.bizantum.lab
[ bizantum.lab ]
subjectAltName = DNS:dlp.bizantum.lab

[root@bizantum ~]# cd /etc/pki/tls/certs
[root@bizantum certs]# openssl genrsa -aes128 2048 > server.key
Enter PEM pass phrase:                  # set passphrase
Verifying - Enter PEM pass phrase:      # confirm

# remove passphrase from private key
[root@bizantum certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:   # input passphrase
writing RSA key

[root@bizantum certs]# openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP                           # country code
State or Province Name (full name) []:Hiroshima                # state
Locality Name (eg, city) [Default City]:Hiroshima              # city
Organization Name (eg, company) [Default Company Ltd]:GTS      # company
Organizational Unit Name (eg, section) []:Server World         # department
Common Name (eg, your name or your server's hostname) []:dlp.bizantum.lab  # server's FQDN
Email Address []:root@bizantum.lab                                # admin email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# create certificate with 10 years expiration date
# -extensions (section name) ⇒ the section name you set in [openssl.cnf]
[root@bizantum certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -extfile /etc/ssl/openssl.cnf -extensions bizantum.lab -days 3650
Certificate request self-signature ok
subject=C = JP, ST = Hiroshima, L = Hiroshima, O = GTS, OU = Server World, CN = dlp.bizantum.lab, emailAddress = root@bizantum.lab
[root@bizantum certs]# chmod 600 server.key
[root@bizantum certs]# ll server.*
-rw-r--r--. 1 root root 1424 Apr 25 13:35 server.crt
-rw-r--r--. 1 root root 1062 Apr 25 13:35 server.csr
-rw-------. 1 root root 1704 Apr 25 13:35 server.key