Home / server / Questions / 498268
In Process
CarpeNoctem
Asked: 2013-04-11 21:11:55 +0800 CST

Redhat - command/s run post-install to generate default localhost.crt?

  • 772

I cloned a VM and the ssl certificate has the old hostname. I need to generate a new ssl certificate.

My question is what method was used by the server to create the initial certificate? Was this done as part of the post-install for an RPM? I'll use openssl if there's not a generation script that can be run. Thanks!

ssl

3 Answers

  1. If you're concerned about preserving the current localhost.crt, move it from the directory then enter:

    make testcert

    in /etc/pki/tls/certs

    • 2

  2. To answer the OP's question (as opposed to providing methods to generate localhost.crt): it depends on the Linux distribution and version. There are many distributions that use RPM, but I will mention two of the most widely used.

    On CentOS 7/RHEL 7, it is done in the postinstall scriptlet of the mod_ssl package. Run the following command to see the full scriptlet:

    rpm -q --scripts mod_ssl

    The part that actually creates the certificate is this:

    cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
         -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
         -out /etc/pki/tls/certs/localhost.crt 2>/dev/null

    On Fedora 29, things are a bit more complicated:

    • The httpd service (/usr/lib/systemd/system/httpd.service) has a soft dependency on httpd-init.service.
    • httpd-init.service (/usr/lib/systemd/system/httpd-init.service) is part of the mod_ssl package.
    • httpd-init.service executes /usr/libexec/httpd-ssl-gencerts, which generates the certificate using sscg.

    The relevant part of the /usr/libexec/httpd-ssl-gencerts is this:

    sscg -q                                                             \
     --cert-file           /etc/pki/tls/certs/localhost.crt         \
     --cert-key-file       /etc/pki/tls/private/localhost.key       \
     --ca-file             /etc/pki/tls/certs/localhost.crt         \
     --lifetime            365                                      \
     --hostname            $FQDN                                    \
     --email               root@$FQDN

    The sscg tool is a small stand-alone program (not a script). Quoting from the Fedora package description:

    A utility to aid in the creation of more secure "self-signed" certificates. The certificates created by this tool are generated in a way so as to create a CA certificate that can be safely imported into a client machine to trust the service certificate without needing to set up a full PKI environment and without exposing the machine to a risk of false signatures from the service certificate.

    • 1

  3. You can quickly generate a new self-signed certificate and private key using the following command and just follow the prompts.

    openssl req -new -x509 -newkey rsa:2048 -keyout server.key -nodes -days 3650 -out server.crt

    One thing I've found enormously useful when I don't care about the attributes of a certificate and just want the hostname to match is that you can pipe attributes into the openssl, just change test.example.tld in the command below to match whatever hostname you want to use. It'll leave all of the attributes blank and you'll end up with server.crt and server.key in your current directory:

    echo -e "XX\n\n \n \n\ntest.example.tld\n\n" | openssl req -new -x509 -newkey rsa:2048 -keyout server.key -nodes -days 3650 -out server.crt &> /dev/null
    • 0