Create a file named caconfig.cnf in ~/certs with the contents of the above caconfig.cnf
# Run the following commands as mig
# Initial setup for openssl ca stuff to work
mkdir ~/certs
cd ~/certs
mkdir certs
touch index.txt
echo 01 > serial
# == Generate Certificate Authority ==
openssl genrsa -des3 -out cacert.key 4096
openssl req -new -key cacert.key -out cacert.csr
openssl req -x509 -days 365 -in cacert.csr -out cacert.crt -key cacert.key
openssl x509 -in cacert.crt -text
# Convert to DER and then to PEM
# PEM is used for apache
openssl x509 -in cacert.crt -out cacert.der -outform DER
openssl x509 -in cacert.der -out cacert.pem -inform DER -outform PEM
# Verify certificate
openssl x509 -in cacert.crt -text
# == Generate server certificate ==
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl ca -days 365 -in server.csr -cert cacert.crt -keyfile cacert.key -out server.crt -config caconfig.cnf
# Generate "passwordless" key
# Avoid apache asking for password on every startup
openssl rsa -in server.key -out server.key.insecure
# Verify certificate
openssl x509 -in server.crt -text
# == Generate client certificate ==
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -cert cacert.crt -keyfile cacert.key -out client.crt -config caconfig.cnf
# Verify certificate
openssl x509 -in client.crt -text
# Export to PKCS12 format
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
When generating a client certificate deriving from your own CA you need to complete the following steps:
- generate client key
- generate certificate request
- create and sign the certificate
- OPTIONAL: to use the certificate in a browser, convert to pkcs12 format