Category: Web Development
SSL certificates are cool. They will be used more and more. This tutorial should be used only on development and/or test environments!
For a production environment please use the already trusted Certificate Authorities (CAs).
This key & certificate will be used to sign other self signed certificates. That will be covered in another tutorial.
here's a video:
Generate the CA key
You'll be prompted to enter a password.
openssl genrsa -des3 -out myCA.key 2048
Generate the Certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem
3650 means that it will be valid for 10 years. Yes!
You can optionally remove the password from the key. For development purposes it would most likely be OK.
Make a backup of the original key
Linux/Mac: cp myCA.key myCA.key.with_pwd
Windows: copy myCA.key myCA.key.with_pwd
Export the CA key without a password
This is useful so you don't have to keep track of the password and/or use a script to sign self-signed SSL certificates.
openssl rsa -in myCA.key.with_pwd -out myCA.key
Convert the CA certificate from .PEM to .CRT format
openssl x509 -outform der -in myCA.pem -out myCA.crt
You may get the following errors:
How to fix OpenSSL error unable to write random state.
To fix this use this in the command line.
Another OpenSSL WARNING: can't open config file: /apache24/conf/openssl.cnf
This is fixable by setting an ENV variable that points to this file. I have copied this from my current Apache installation.
If you don't have it download it from this gist: https://gist.github.com/lordspace/c2edd30b793e2ee32e5b751e8f977b41
Windows: set OPENSSL_CONF=openssl.cnf
Linux: export OPENSSL_CONF=openssl.cnf