Creating a certificate authority. Nowadays, you already need it for testing an https webserver: create the CA, then a cert for the https service, and sign that cert. Import the CA cert into the browser, then access the https service.
This is the default on Fedora and RHEL, CentOS, ScientificLinux.
dnf -y install nss-tools SERVICENAME="rhel7b.fluxcoil.net" ### create CA itself cd /etc/pki/nssdb mkdir CA_db certutil -N -d CA_db certutil -S -d CA_db -n "chorn test CA" \ -s "CN=test,O=MYORG,L=Tokyo,C=JA" -t "CT,," -x -2 # Be sure to answer "Is this a CA certificate [y/N]?" with "y"! # export cacert to x509 certutil -L -d CA_db -n "chorn test CA" -a -o CA_db/rootca.crt # show details certutil -L -d ./CA_db ### create server/services db mkdir /etc/pki/nssdb/server_db certutil -N -d server_db certutil -A -d server_db -n "chorn test CA" -t "TC,," -a -i CA_db/rootca.crt ### create a service cert, i.e. for https certutil -R -d server_db \ -s "CN=$SERVICENAME,O=MYORG,L=Tokyo,C=JA" \ -a -o server_db/$SERVICENAME.req -v 12 certutil -C -d CA_db -c "chorn test CA" -a \ -i server_db/$SERVICENAME.req -o server_db/$SERVICENAME.crt -2 # -6 certutil -A -d server_db -n $SERVICENAME -a \ -i server_db/$SERVICENAME.crt -t ",," certutil -V -d server_db -u V -n $SERVICENAME cd server_db/ openssl x509 -in $SERVICENAME.crt -noout -text pk12util -d . -o $SERVICENAME.pk12 -n $SERVICENAME openssl pkcs12 -clcerts -in $SERVICENAME.pk12 -out $SERVICENAME.pem # create keyfile without passphrase openssl rsa -in $SERVICENAME.pem \ -out ${SERVICENAME}_key_nopass.pem
[root@rhel7a server_db]# yum -y install mod_ssl [..] [root@rhel7a server_db]# grep nssdb /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net.pem SSLCertificateKeyFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net_key_nopass.pem SSLCACertificateFile /etc/pki/nssdb/CA_db/rootca.crt [root@rhel7a server_db]# systemctl start httpd