Simple SSL cert HOWTO

• Make a new ssl private key:

  • Generate a new unencrypted rsa private key in PEM format:

        openssl genrsa -out privkey.pem 1024
    

    You can create an encrypted key by adding the -des3 option.
    
    

• To make a self-signed certificate:

  • Create a certificate signing request (CSR) using your rsa private key:

        openssl req -new -key privkey.pem -out certreq.csr
    

    ( This is also the type of CSR you would create to send to a root CA for them to sign for you. )
    
    
  • Self-sign your CSR with your own private key:

        openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
    

    
    

• To make a certificate signed by your own certificate authority (CA):

  • Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:

        vi /etc/ssl/openssl.cnf
        /usr/lib/ssl/misc/CA.pl -newca
    

    Your copy of openssl.cnf and CA.pl may be located elsewhere.
    
    
  • Create an unsigned certificate using your rsa private key:

        openssl req -new -x509 -key privkey.pem -out cert.pem
    

  • Use your private key and your certificate to make a CSR:

        cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
    

  • Sign the certificate with the CA private key using the CSR you just made:

        openssl ca -in certreq.csr -out newcert.pem
        rm -f certreq.csr
    

    
    

• To install the signed certificate and private key for use by an ssl server:

  • The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:

        ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
        ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0   # dot-zero
    

    ( The server.pem is a PEM file that can be used by apache along with the hash file. )
    
  
  
  You can view the contents of a CSR with:
  

      openssl req -noout -text -in certreq.csr
  

  You can view the contents of a certificate with:
  

      openssl x509 -noout -text -in newcert.pem
  

  You can display the MD5 fingerprint of a certificate with:
  

      openssl x509 -fingerprint -noout -in newcert.pem
  

  You can verify that your private key, CSR, and signed cert match by comparing:
  

      openssl rsa -noout -modulus -in privkey.pem |openssl md5
      openssl req -noout -modulus -in certreq.csr |openssl md5
      openssl x509 -noout -modulus -in newcert.pem |openssl md5