This should only be done once, in a clean directory. The key and certificate is needed for each app.
The -des3 option forces it to use a password. You don't want someone hijacking your root CA and signing stuff.
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -config "/c/program files (x86)/git/ssl/openssl.cnf"
https://msdn.microsoft.com/en-us/library/ms733813%28v=vs.110%29.aspx Section: Installing a Certificate in the Trusted Root Certification Authorities Store
Need to use an app-specific config file here, where "CN=localhost.ssl"
openssl req -in openssl.cnf -nodes -newkey rsa:2048 -sha224 -config openssl.cnf -keyout server.key -out server.csr
This also generates a rootCA.srl file, which I assume is only needed the first time, but is definitely needed.
openssl x509 -req -in server.csr -sha224 -extfile openssl.cnf -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 1024 -out server.crt
###1. Check if the certificate is expired
openssl x509 -in server.crt -noout -enddate
openssl x509 -in server.crt -signkey server.key -x509toreq -out new.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out new.crt
openssl verify new.crt
mv new.crt server.crt && rm new.csr
On the first step on Creating a new certificate, how do you pass a certificate authority that was created using makecert?