Generate SSL Certificate

A SSL cetificate enables an encrypted connection between client and server. In this exercise, will try to generate self signed certificate and a Let’s encrypt certificate with

Self signed cert using OpenSSL

mkdir -p /etc/nginx/certificates
cd /etc/nginx/certificates

# Generate a private key for the CA
openssl genrsa 2048 > ca-key.pem
# Generate the X509 certificate for the CA
openssl req -new -x509 -nodes -days 365000 \
      -key ca-key.pem -out ca-cert.pem

# Create a private key and certificate request
openssl req -newkey rsa:2048 -days 365000 \
      -nodes -keyout server-key.pem -out server-req.pem

# remove the passphrase if any
openssl rsa -in server-key.pem -out server-key.pem

# Create a self-signed X509 certificate
openssl x509 -req -in server-req.pem -days 365000 \
      -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 \
      -out server-cert.pem

# update the permission
chmod 644 *
# Verify the X509 certificate
openssl verify -CAfile ca-cert.pem server-cert.pem

Generate with acme script

# run as root

yum install socat -y

wget -O - | sh -s email=<youremail>
ln -s  /root/ /usr/local/bin/

# change default authority
/usr/local/bin/ --set-default-ca --server letsencrypt

/usr/local/bin/ --register-account -m <youremail>

# elliptic curve cryptography (ECC)
/usr/local/bin/  --issue -d <yourdomain>  --standalone -k ec-256

/usr/local/bin/ --installcert -d <yourdomain> --ecc  --key-file   /home/ec2-user/certificates/server.key   --fullchain-file /home/ec2-user/certificates/server.crt

# remove a domain
/usr/local/bin/ --remove --domain <yourdomain> --ecc
# renew
/usr/local/bin/ --renew --domain <yourdomain>l --ecc --force

# Get pkcs12(pfx) format
# /usr/local/bin/ --toPkcs -d <domain> [--password pfx-password]
/usr/local/bin/ --toPkcs -d <yourdomain> --password changeme --ecc