initial setup:
mkdir /data/ca
mkdir /data/ca/private
mkdir /data/ca/newcerts
touch /data/ca/index.txt
echo 1001 > /data/ca/serial
ca key generate:
openssl genrsa -des3 -out /data/ca/private/cakey.pem 4096
self-sign ca cert:
openssl req -sha256 -new -x509 -days 3650 -key /data/ca/private/cakey.pem -out /data/ca/cacert.pem -config /usr/local/openssl/openssl.cnf
host key generate key+csr:
openssl req -sha256 -newkey rsa:2048 -nodes -keyout server.key -config /usr/local/openssl/openssl.cnf -out server.csr
host CSR:
openssl req -sha256 -new -key aoyama.key -config /usr/local/openssl/openssl.cnf -out aoyama.csr
ca sign host key:
openssl ca -config /usr/local/openssl/openssl.cnf -out server.crt -infiles server.csr
dh param generate:
openssl dhparam -out dh2048.pem 2048
convert to google appengine format:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pem