HowTo make your own Self-Signed SSL Certificate server setup: combined private key and cert ================================================================================== ### Create server key openssl genrsa -out ./server.key 1024 ### Create certificate request openssl req -new -key server.key -out server.csr FQDN: Common Name: foo.example.com or Wildcard: Common Name: *.example.com ### self sign key (increment the serial number "N" for each new cert) openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt ### combine the key and cert in one PEM file for simplicity cat server.key server.crt > combined.pem ### view the details of the cert you just made openssl x509 -in combined.pem -noout -text ### copy cert into place cp combined.pem /etc/ssl/certs/ apache specific: -------------------------------------------------- edit httpd.conf and/or ssl.conf SSLCertificateFile /etc/ssl/certs/combined.pem bin/apachectl startssl CA set up... for client certs not server cert... donno who ================================================================================== ### create CA key openssl genrsa -out ./ca.key 1024 ### create CA request openssl req -new -key ca.key -out ca.csr ### self-sign CA request - > CA cert openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert ### install it in apache cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt ### edit httpd.conf SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt client setup ================================================================================== ### create client key openssl genrsa -out client.key 1024 ### request client cert openssl req -new -key client.key -out client.csr #### sign client cert with CA key! openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt ### covert to opera/sn/ie format (key and cert in 1 file) openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 ### test it openssl s_client -host example.com -port 443 -key client.key -cert client.crt ### print out cert contents openssl x509 -noout -text -in client.crt ### print out key contents (useless?) openssl rsa -noout -text -in client.key another source: http://www.pseudonym.org/ssl/ssl_ca.html