-
Make a new ssl private key:
- Generate a new unencrypted rsa private key in PEM format:
openssl genrsa -out privkey.pem 1024
You can create an encrypted key by adding the -des3 option.
- Generate a new unencrypted rsa private key in PEM format:
-
To make a self-signed certificate:
- Create a certificate signing request (CSR) using your rsa private key:
openssl req -new -key privkey.pem -out certreq.csr
( This is also the type of CSR you would create to send to a root CA for them to sign for you. ) - Self-sign your CSR with your own private key:
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
- Create a certificate signing request (CSR) using your rsa private key:
-
To make a certificate signed by your own certificate authority (CA):
- Configure /etc/ssl/openssl.cnf and use
CA.pl to create the CA private key and certificate:
vi /etc/ssl/openssl.cnf /usr/lib/ssl/misc/CA.pl -newca
Your copy of openssl.cnf and CA.pl may be located elsewhere. - Create an unsigned certificate using your rsa private key:
openssl req -new -x509 -key privkey.pem -out cert.pem
- Use your private key and your certificate to make a CSR:
cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
- Sign the certificate with the CA private key using the CSR you just made:
openssl ca -in certreq.csr -out newcert.pem rm -f certreq.csr
- Configure /etc/ssl/openssl.cnf and use
CA.pl to create the CA private key and certificate:
-
To install the signed certificate and private key for use by an ssl server:
- The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0 # dot-zero
( The server.pem is a PEM file that can be used by apache along with the hash file. )
You can view the contents of a CSR with:openssl req -noout -text -in certreq.csr
You can view the contents of a certificate with:openssl x509 -noout -text -in newcert.pem
You can display the MD5 fingerprint of a certificate with:openssl x509 -fingerprint -noout -in newcert.pem
You can verify that your private key, CSR, and signed cert match by comparing:openssl rsa -noout -modulus -in privkey.pem |openssl md5 openssl req -noout -modulus -in certreq.csr |openssl md5 openssl x509 -noout -modulus -in newcert.pem |openssl md5
- The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
See Also:
openssl certificates howto
openssl keys howto
brief CA and CERT howto
CA and CERT howto