First create a openssl.cnf:
oid_section = new_oids
[ new_oids ]
[ req ]
default_days = 3650
distinguished_name = req_distinguished_name
encrypt_key = no
string_mask = nombstr
x509_extensions = v3_req # Extensions to add to certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FI
countryName_min = 2
countryName_max = 2localityName = Locality Name (eg, city)
localityName_default = EspoocommonName = Common Name (eg, YOUR name)
commonName_default = foo.org
commonName_max = 64emailAddress = Email Address
emailAddress_default = root@foo.org
emailAddress_max = 40
[ v3_req ]
subjectAltName=DNS:*.foo.org,DNS:*.foo.info,DNS:*.foo.eu,DNS:*.foo.fi
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints = CA:true
Create a RSA private key for your server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 4096
Please backup this host.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
$ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
$ openssl rsa -in server.key -out server.key.unsecure
Create a self-signed Certificate (X509 structure) with the RSA key you just created (output will be PEM formatted):
$ openssl req -new -x509 -config openssl.cnf -sha1 -days 3650 -key server.key -out server.crt
This signs the server CSR and results in a server.crt file.
You can see the details of this Certificate using:
$ openssl x509 -noout -text -in server.crt
Now you can use these as the certificates and keys for the apache server if you want. If you want to be your own certificate authority (CA) then you have to do some addtional steps. Now let’s rename all the files previously created as ca.[key|key.unsecure|crt]
$ openssl genrsa -des3 -out server.key 4096
Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
$ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
$ openssl rsa -in server.key -out server.key.unsecure
Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
$ openssl req -new -config openssl.cnf -key server.key -out server.csr
Make sure you enter the FQDN (“Fully Qualified Domain Name”) of the server when OpenSSL prompts you for the “CommonName”, i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter “www.foo.dom” here. You can see the details of this CSR by using
$ openssl req -noout -text -in server.csr
Now finally sign the certificate request with your CA’s private key.
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -extfile openssl.cnf -extensions v3_req -set_serial 01 -out server.crt