Prerequisites

Two CentOS 7 hosts are required: one for the Certificate Authority (CA) and another for the web server.

Creating the Private Certificate Authority

Verify OpenSSL Configuration

Ensure the OpenSSL configuration file specifies the correct CA directory structure.

cat /etc/pki/tls/openssl.cnf

Relevant configuration section:

[ CA_default ]
dir             = /etc/pki/CA
certs           = $dir/certs
crl_dir         = $dir/crl
database        = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate     = $dir/cacert.pem
serial          = $dir/serial
private_key     = $dir/private/cakey.pem

Create Required Directories and Files

mkdir -p /etc/pki/CA/{certs,crl,newcerts}
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial

Generate CA Private Key

Create a secure 2048-bit RSA private key for the CA.

(umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

Generate Self-Signed CA Certificate

Create the root certificate using the x509 format for private CAs.

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem \
  -out /etc/pki/CA/cacert.pem -days 365

Note: The country, state, and locality information provided here must match subsequent certificate requests.

Generating a Certificate Signing Request for HTTP Server

Create SSL Directory

mkdir /etc/httpd/ssl

Generate Server Private Key

(umask 077; openssl genrsa -out /etc/httpd/ssl/server.key 2048)

Create Certificate Signing Request

openssl req -new -key /etc/httpd/ssl/server.key \
  -out /etc/httpd/ssl/server.csr -days 365

Ensure the geographic information matches the CA certificate details.

Create Certificate Extentions File

Define subject alternative names for the certificate.

echo "subjectAltName = DNS:*.example.com, DNS: example.com" > /etc/httpd/ssl/server.ext

Transfer both server.csr and server.ext files to the CA host's /tmp directory.

Signing the Server Certificate on the CA

Issue the Certificate

openssl ca -in /tmp/server.csr -out /tmp/server.crt \
  -days 365 -extfile /tmp/server.ext

Transfer the signed certificate server.crt back to the web server host.

Configuring Apache HTTP Server with SSL

Install SSL Module

yum install -y mod_ssl

Configure SSL Virtual Host

Edit the SSL configuration file:

vim /etc/httpd/conf.d/ssl.conf

Update the certificate paths:

SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key

Restart HTTP Service

systemctl restart httpd

Browser Configuration

Import Root Certificate

Import the CA root certificate (/etc/pki/CA/cacert.pem) into the browser's trusted root certificate authorities.

Configure Local DNS

Add server domain-to-IP mapping to the client's hosts file for testing.

Access via HTTPS

Navigate to https://example.com/ in the browser.

Advanced Certificate Extensions

IP Address SAN Example

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@alt_names

[alt_names]
IP.1=192.168.1.10
IP.2=192.168.1.20

DNS SAN Example

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=example.com
DNS.2=www.example.com

The extendedKeyUsage field specifeis certificate purposes:

• serverAuth: Authenticates remote servers
• clientAuth: Authenticates clients to servers
• codeSigning: Verifies software integrity
• emailProtection: Secures email messages
• timeStamping: Timestamp signing authority

If unspecified, all application policies are permitted.