Generate/Create a SHA2/SHA256 self-signed cert - RedHat/CentOS

To generate a SHA256 certficate in linux all you need to do is run this openssl command and you will be ready with a PCI compliant cert. This is a standard requirement nowadays in any PCI compliant environment. This is implemented with Apache backend. Run the below command to generate .crt and .key files.

Command to generate SHA256 Cert

# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout hostname.local.key -out hostname.local.crt


[@nagios admin]# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout -out
Generating a 2048 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:BERKS
Locality Name (eg, city) [Default City]:READING
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, your name or your server's hostname) []
Email Address []:admin@nagios.local

Now you can see that it has generated two files as given below.

[@nagios admin]# ls

Now to verify that the generated key is SHA256 compliant run this command and look for SHA256.

# openssl x509 -noout -text -in | grep 256


[@nagios admin]# openssl x509 -noout -text -in | grep 256
    Signature Algorithm: sha256WithRSAEncryption    
    Signature Algorithm: sha256WithRSAEncryption

Now copy the Key and Cert to TLS folder

# cp /etc/pki/tls/certs/
# cp /etc/pki/tls/private/

Now reflect the location of the newly generated Certs in ssl.conf

Edit ssl.conf

# vi /etc/httpd/conf.d/ssl.conf
  --- SSLCertificateFile /etc/pki/tls/certs/
  --- SSLCertificateKeyFile /etc/pki/tls/private/

Restart Apache

# service httpd restart (or) /etc/init.d/httpd restart

That should be it and you are all ready with a SHA256 cert.

Linux Related Articles . . .

To generate a SHA256 certficate in linux all you need to do is run this openssl command and you will...
This a very useful One liner command to insert IP and hostname into /etc/hosts file and is particularly useful when...
Its possible to use awk in Alias command. I did that by simply just modifying some parenthesis and there you...
Its possible to run a script via Alias command. All you need is to modify the .bashrc and then source...
This article will guide you on creating a custom Self-signed SSL Certificate in no time. For creating one you would...