Generate/Create a SHA2/SHA256 self-signed cert - RedHat/CentOS

To generate a SHA256 certficate in linux all you need to do is run this openssl command and you will be ready with a PCI compliant cert. This is a standard requirement nowadays in any PCI compliant environment. This is implemented with Apache backend. Run the below command to generate .crt and .key files.

Command to generate SHA256 Cert

# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout hostname.local.key -out hostname.local.crt


[@nagios admin]# openssl req -x509 -nodes -sha256 -days 1095 -newkey rsa:2048 -keyout -out
Generating a 2048 bit RSA private key
writing new private key to ''
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:BERKS
Locality Name (eg, city) [Default City]:READING
Organization Name (eg, company) [Default Company Ltd]:Personal
Organizational Unit Name (eg, section) []:DEV
Common Name (eg, your name or your server's hostname) []
Email Address []:admin@nagios.local

Now you can see that it has generated two files as given below.

[@nagios admin]# ls

Now to verify that the generated key is SHA256 compliant run this command and look for SHA256.

# openssl x509 -noout -text -in | grep 256


[@nagios admin]# openssl x509 -noout -text -in | grep 256
    Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

Now copy the Key and Cert to TLS folder

# cp /etc/pki/tls/certs/
# cp /etc/pki/tls/private/

Now reflect the location of the newly generated Certs in ssl.conf

Edit ssl.conf

# vi /etc/httpd/conf.d/ssl.conf
--- SSLCertificateFile /etc/pki/tls/certs/
--- SSLCertificateKeyFile /etc/pki/tls/private/

Restart Apache

# service httpd restart (or) /etc/init.d/httpd restart

That should be it and you are all ready with a SHA256 cert.

Most Read Articles

Add/Detect a new disk in ...

Written By Farooq Mohammed Ahmed on Sunday, 11 January 2015 19:22
Add/Detect a new disk in ...

Replace SSL Certificates ...

Written By Farooq Mohammed Ahmed on Friday, 16 December 2016 08:05
Replace SSL Certificates ...

Using awk in Alias Comman...

Written By Farooq Mohammed Ahmed on Friday, 19 February 2016 14:22
Using awk in Alias Comman...

Sed - Insert Text before ...

Written By Farooq Mohammed Ahmed on Monday, 20 November 2017 00:58
Sed - Insert Text before ...

Script to Monitor Nagios ...

Written By Farooq Mohammed Ahmed on Monday, 18 July 2016 22:48
Script to Monitor Nagios ...