Create the password protected root certificate key and self sign this certificate
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This greatly depends on the client. Browsers has a specific places to install certificates. Some operating systems can also install one at OS level so you can use them outside of the browsers (for example).
When issuing the second openssl
command below, the common name must match the IP or FQDN that the client will use to access the server.
So if the server will be in localhost
the common name must be localhost
. If it's going to be on 127.0.0.1
so 127.0.0.1
:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256