Generate Client Private Key:
1
|
openssl genrsa -out server.key 2048
|
Generate Client Certificate:
1
|
openssl req -new -sha256 -x509 -days 3650 -key server.key -out server.crt
|
Certificate Signing Request (CSR):
1
|
openssl req -new -key server.key -out server.csr
|
Generate CA Private Key
Encrypted with des3, requires a password of more than 4 characters:
1
|
openssl genrsa -des3 -out ca.key 4096
|
Generate CA Certificate
1
|
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
|
Add the following configuration to the CA config file /private/etc/ssl/openssl.cnf (macOS system):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = /etc/ssl/diyca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
Certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
default_md = md5
RANDFILE = $dir/private/.rand
policy= policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
|
Sign Certificate with CA:
1
|
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -days 3650
|
The signed certificate is server.pem:
1
|
cp /etc/ssl/diyca/newcerts/00.pem server.pem
|
Now you can deploy server.key and server.pem on your web server. Note: self-signed certificates are not necessarily trusted by common browsers.