SSL certificates are cool. They will be used more and more. This tutorial should be used only on development and/or test environments!

For a production environment please use the already trusted Certificate Authorities (CAs).

This key & certificate will be used to sign other self signed certificates. That will be covered in another tutorial.

here's a video:

 

Generate the CA key

You'll be prompted to enter a password.

openssl genrsa -des3 -out myCA.key 2048

 

Generate the Certificate

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem

 

3650 means that it will be valid for 10 years. Yes!

You can optionally remove the password from the key. For development purposes it would most likely be OK.

 

Make a backup of the original key

Linux/Mac: cp myCA.key myCA.key.with_pwd
Windows: copy myCA.key myCA.key.with_pwd


Export the CA key without a password

This is useful so you don't have to keep track of the password and/or use a script to sign self-signed SSL certificates.

openssl rsa -in myCA.key.with_pwd -out myCA.key

 

Convert the CA certificate from .PEM to .CRT format

openssl x509 -outform der -in myCA.pem -out myCA.crt

 

You may get the following errors:

How to fix OpenSSL error unable to write random state.

To fix this use this in the command line.

 

Windows

set RANDFILE=.rnd

Linux/Mac

export RANDFILE=.rnd

 

Another OpenSSL WARNING: can't open config file: /apache24/conf/openssl.cnf

 

This is fixable by setting an ENV variable that points to this file. I have copied this from my current Apache installation.

If you don't have it download it from this gist: https://gist.github.com/lordspace/c2edd30b793e2ee32e5b751e8f977b41

Windows: set OPENSSL_CONF=openssl.cnf

Linux: export OPENSSL_CONF=openssl.cnf

 

 

Related