This is not part of the official process.
# Creating a CA key:
# req -new -x509 - New x509-es request.
# -nodes - Private key do not be secured by passphrase.
# -days 3650 - 10*365=3650 day, it means 10 years.
# -newkey rsa:2048 -sha256 - 2048-as RSA, with SHA256
# -subj '/C=CO/L=City/CN=example.com/O=Company Ltd./'
# -keyout ca-privkey - Private key.
# -out ca-pubkey - Request for the CA.
#
# More info:
# openssl req --help
# or
# less /usr/sbin/make-ssl-cert
#
openssl req \
-new -x509 -nodes -days 3650 \
-newkey rsa:2048 -sha256 \
-subj '/C=HU/L=Budapest/CN=example.com/O=Company Ltd./' \
-keyout /etc/ssl/private/example.com.ca-privkey.pem \
-out /etc/ssl/certs/example.com.ca-pubkey.pem
# Double-check
openssl x509 -text -in /etc/ssl/certs/example.com.ca-pubkey.pem
# Result something like that:
# Certificate:
# Data:
# Version: 3 (0x2)
# Serial Number: 9316180554939260853 (0x8149b8db008e5fb5)
# Signature Algorithm: sha256WithRSAEncryption
# Issuer: C=HU, L=Budapest, CN=example.com, O=Company Ltd.
# Validity
# Not Before: Oct 15 00:39:19 2012 GMT
# Not After : Oct 13 00:39:19 2022 GMT
# Subject: C=HU, L=Budapest, CN=example.com, O=Company Ltd.
# Subject Public Key Info:
# Public Key Algorithm: rsaEncryption
# Public-Key: (2048 bit)
This is also needed to the official process.
# Request to the CA:
# req –newkey rsa:2048 -sha256 - RSA 2048, with SHA256.
# -nodes - Private key won't be secured by phassphrase.
# -subj '/C=HU/L=Budapest/CN=example.com/O=Company Ltd./' \
# - Company details.
# -keyout privkey - private key.
# -out pubkey.csr - request to the CA.
#
# More info:
# openssl req --help
#
mkdir -p /etc/ssl/csr; chmod 750 /etc/ssl/csr; chown root:ssl-cert /etc/ssl/csr
openssl req \
-new -nodes -newkey rsa:2048 -sha256 \
-subj '/C=HU/L=Budapest/CN=example.com/O=Company Ltd./' \
-keyout /etc/ssl/private/example.com.privkey.pem \
-out /etc/ssl/csr/example.com.csr.pem
# Double-check
openssl req -text -in /etc/ssl/csr/example.com.csr.pem
# Result:
# Certificate Request:
# Data:
# Version: 0 (0x0)
# Subject: C=HU, L=Budapest, CN=example.com, O=Company Ltd.
# Subject Public Key Info:
# Public Key Algorithm: rsaEncryption
# Public-Key: (2048 bit)
This is also not the part of the official process.
# Signing with CA:
# x509 -sha256 -req - Handling of request
# -days 3650 - Validation days
# -set_serial 01 - Get a serial number.
# -CAkey ca-privkey - CA private key.
# -CA ca-pubkey - CA public key.
# -in csr - Request file.
# -out pubkey - Signed key.
#
# More info:
# openssl x509 --help
#
openssl x509 -req -sha256 -days 3650 \
-set_serial 01 \
-CAkey /etc/ssl/private/example.com.ca-privkey.pem \
-CA /etc/ssl/certs/example.com.ca-pubkey.pem \
-in /etc/ssl/csr/example.com.csr.pem \
-out /etc/ssl/certs/example.com.pubkey.pem
# Double-check:
openssl x509 -text -in /etc/ssl/certs/example.com.pubkey.pem
# Eredmény:
# Certificate:
# Data:
# Version: 1 (0x0)
# Serial Number: 1 (0x1)
# Signature Algorithm: sha256WithRSAEncryption
# Issuer: C=HU, L=Budapest, CN=example.com, O=Company Ltd.
# Validity
# Not Before: Oct 15 01:07:58 2012 GMT
# Not After : Oct 13 01:07:58 2022 GMT
# Subject: C=HU, L=Budapest, CN=example.com, O=Company Ltd.
# Subject Public Key Info:
# Public Key Algorithm: rsaEncryption
# Public-Key: (2048 bit)
Setting up the permissions on the files:
# Permissions
chmod 444 /etc/ssl/certs/example.com.*.pem
chmod 440 /etc/ssl/private/example.com.*.pem
chown root:ssl-cert /etc/ssl/private/example.com.*.pem