OpenSSL

Creating a self-signed cert with one command

The following command will generate a new key and create a certificate all in one line suitable for use by Apache or any other SSL tool.

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout www.example.com.pem  -out www.example.com.pem

You can then use the file above in apache with the following two lines

SSLEngine On
SSLCertificateFile www.example.com.pem

Expired Certificates and Invalid Serial Numbers

When a self-signed certificate finally expires, you may have issues with more stringent clients refusing a new self-signed certificate. This is because the serial number on your new self-signed certificate is the same as the serial on the old one *and* you probably haven't changed the host/CA identification (The State/Location/OrganizationalUnit information).

Thunderbird is one such client that reacts badly when you get a 'new' cert signed by the 'old' CA. The right solution would be for there to be a parameter under 'req -x509' to specify the serial number you want used. Since that is unavailable, I simply include the current year in the OU field, that makes it a 'different' self-signer and solves this problem.

Setting up a certificate authority (CA) without using ca.sh

These are rough notes waiting to be edited, use at your own risk.

First, make a directory to store your stuff, like /var/lib/CA
In it, make a directory named private/ and a directory named newcerts/
Touch CA/index.txt
echo '01' > CA/serial
Generate your ca's root key: openssl genrsa 4096 > CA/private/cakey.pem
Generate your ca's creq: openssl req -key CA/private/cakey.pem -out CA/cacert-req.pem -days 0 -new
self-sign your ca's root cert: openssl x509 -signkey CA/private/cakey.pem < CA/cacert.pem -req
generate a key & creq on the client side ([keygen into private/key.pem]; openssl req -key private/host.example.com.pem)
Sign the creq using the new ca: openssl ca -in crls/rudy.technocage.com.crl

Other useful notes at:

OpenSSL and IIS

Comments welcome.

Last updated: 2004-08-29