Creating a new key, with a self-signed root CA
This should only be done once, in a clean directory. The key and certificate is needed for each app.
1. Generate root CA (private key and public key).
The -des3 option forces it to use a password. You don't want someone hijacking your root CA and signing stuff.
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -config "/c/program files (x86)/git/ssl/openssl.cnf"
2. Add CA key to machine.
https://msdn.microsoft.com/en-us/library/ms733813%28v=vs.110%29.aspx Section: Installing a Certificate in the Trusted Root Certification Authorities Store
Create a new certificate
1. Create both a certificate signing request and a key.
Need to use an app-specific config file here, where "CN=localhost.ssl"
openssl req -in openssl.cnf -nodes -newkey rsa:2048 -sha224 -config openssl.cnf -keyout server.key -out server.csr
2. Create a new certificate
This also generates a rootCA.srl file, which I assume is only needed the first time, but is definitely needed.
openssl x509 -req -in server.csr -sha224 -extfile openssl.cnf -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 1024 -out server.crt
3. Make off with your new files (server.key, server.csr, server.crt).
Renew a certificate
###1. Check if the certificate is expired
openssl x509 -in server.crt -noout -enddate
2. Create a certificate signing request from the existing key
openssl x509 -in server.crt -signkey server.key -x509toreq -out new.csr
2. Create a certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out new.crt
3. Verify the new certificate (should end with OK)
openssl verify new.crt
4. Replace the old certificate with the new one, and delete the csr
mv new.crt server.crt && rm new.csr