A quick and dirty creation of CA-signed certificates..
I recently faced a task of creating an OpenSSL certificate, that in turn should be signed by an CA (Certificate Authority). In my case, I were allowed to create my own CA, and thus signing my own certificate.
Here a “quick and dirty” way of creating these certificates..
First, we want to create the CA-key and certificate. We will use these to “sign” our own certificate later. I am in this example using OpenSSH version 0.9.7d-15.13.
cd /etc/ssl
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem
Now we’ll create a certificate request. This is much what it sounds like. A request for a signed certificate.
openssl req -new -config ./openssl.cnf -nodes -out ./server-req.pem \
-keyout ./server-key.pem
As you can see, this creates an certificate request (server-req.pem) and an key. Now we’ll sign the certificate-request (server-req.pem) with the CA-certificate (cacert.pem).
openssl x509 -req -in server-req.pem -out server-cert.pem \
-signkey server-key.pem -CA cacert.pem -CAkey private/cakey.pem \
-CAcreateserial -days 365
Done! The keys are now signed by your very own (not very trustworthy) CA. These can now be used with for example Apache (when using https) or, as in my case, by any other odd OpenSSL-implementation :)