SSL/TLS-certificates for lazy people

In a nutshell, the SSL/TLS certificate (SSL: Secure Sockets Layer, TLS: Transport Layer Security) is a unique digital signature for the secure connection between the client and the server.
Creating SSL certificate can be divided into the following steps:

  • create a personal key (Private Key);
  • create a query to retrieve the certificate (Certificate Signing Request);
  • creating a self-signed (Self-Signed Certificate).

To create the certificates I have written a small shell-script:

At the top of the script, you can fill in the default values:

Then to create the key and self-signed certificate, you will need to perform:

The first command creates a private key /etc/pki/tls/private/, the second command creates a self-signed certificate /etc/pki/tls/certs/, and a third team will check the validity of this certificate.
Note: Regardless of the script, if any certificate is written something like:

Это означает, что для этого сертификата, в папке /etc/pki/tls/certs отсутствует необходимая информация для проверки. Необходимо убедиться, что в этой папке присутствует проверяемый сертификат, а так же присутствуем симлинк с хэшем вместо имени, на проверяемый сертификат. Если симлинка нет – его необходимо создать:
This means that the certificate in the folder /etc/pki/tls/certs is missing information required for validation. You must make sure that this folder is present the certificate being validated, as well as present a symlink with a hash instead of the name on the certificate being validated. If where is no special symlink – you need to create:

Where $CRT is the file name of the certificate.
If you plan to sign the certificate in «an adult way», on the side, you need to create a private key and request to obtain a certificate:

The contents of the csr file, you must send in a company that will certify your certificate.
Also, you can use a script like this:

If you use a free certificate from StartSSL, do the following:

Otherwise verification certificate will receive an error:

Leave a Reply