Generate/Create a SHA2/SHA256 self-signed cert – RedHat/CentOS

by | Oct 25, 2016 | RHEL / CentOS

To generate a SHA256 certficate in linux all you need to do is run this openssl command and you will be ready with a PCI compliant cert. This is a standard requirement nowadays in any PCI compliant environment. This is implemented with Apache backend. Run the below command to generate .crt and .key files.

Command to generate SHA256 Cert

# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout hostname.local.key -out hostname.local.crt

Output:

[@nagios admin]# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout nagios.off.local.key -out nagios.off.local.crt
Generating a 2048 bit RSA private key
……………………..+++
……………….+++
writing new private key to ‘nagios.off.local.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:BERKS
Locality Name (eg, city) [Default City]:READING
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, your name or your server’s hostname) []:nagios.off.local
Email Address []:[email protected]

Now you can see that it has generated two files as given below.

[@nagios admin]# ls
nagios.off.local.crt  nagios.off.local.key

Now to verify that the generated key is SHA256 compliant run this command and look for SHA256.

# openssl x509 -noout -text -in nagios.off.local.crt | grep 256

Output:

[@nagios admin]# openssl x509 -noout -text -in nagios.off.local.crt | grep 256
    Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

Now copy the Key and Cert to TLS folder

# cp nagios.off.local.crt /etc/pki/tls/certs/
# cp nagios.off.local.key /etc/pki/tls/private/

Now reflect the location of the newly generated Certs in ssl.conf

Edit ssl.conf

# vi /etc/httpd/conf.d/ssl.conf
— SSLCertificateFile /etc/pki/tls/certs/nagios.off.local.crt
— SSLCertificateKeyFile /etc/pki/tls/private/nagios.off.local.key

Restart Apache

# service httpd restart (or) /etc/init.d/httpd restart

That should be it and you are all ready with a SHA256 cert.

Related Articles….