To create a self-signed certificate for testing (without encrypting the private key file):
openssl req -new -x509 -nodes -out server.crt -keyout server.key
To encrypt the private key file:
openssl rsa -des3 -in server.key -out server.key.new && mv server.key.new server.key
To create a private key (Triple-DES encrypted and PEM formatted):
openssl genrsa -des3 -out server.key 1024
To create a private key (PEM formatted, but not encrypted):
openssl genrsa -out server.key 1024
To see the details of the private key:
openssl rsa -noout -text -in server.key
To create a decrypted PEM version (remove passphrase, not recommended) of the private key:
openssl rsa -in server.key -out server.key.unsecure
To create a CSR (certificate signing request, PEM formatted):
openssl req -new -key server.key -out server.csr
To see the details of a CSR:
openssl req -noout -text -in server.csr
To setup your own Certificate Authority (CA):
1. Create a directory on appropriate partition (depends on the number of certificates that you will need to issue, should be outside of your home directory)
2. Within this directory create these directories and files:
mkdir certs crl newcerts private && echo "01" > serial && touch index.txt
3. Edit the openssl.cnf (usually /usr/share/ssl/openssl.cnf) to set the dir variable.
4. Create a private key as explained above
5. Create a CA certificate: openssl req -new -x509 -nodes -sha1 -days 3650 -key cakey.pem -out cacert.crt
6. Put the created CA certificate and key files to appropriate place according to the openssl.cnf file.
7. Edit policy setting (inside openssl.cnf) from policy_match to policy_anything
8. Edit the req_distinguished_name section to allow multiple Common Name (CN) and subjectAltName:
0.commonName = "First Common Name"
0.commonName_default = "www.domain.com"
0.commonName_max = 64
1.commonName = "Second Common Name"
1.commonName_default = "www.domain.com"
1.commonName_max = 64
0.subjectAltName = dNSName:domain.com
1.subjectAltName = dNSName:*.domain.com
2.subjectAltName = dNSName:*.*.domain.com
3.subjectAltName = DNS:example.com
4.subjectAltName = DNS:www.example.com
To sign a CSR:
openssl ca -out server.crt -infiles server.csr
To view the detail of a certificate:
openssl x509 -noout -text -in server.crt
Example of openssl.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /root/certificates # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = San Mateo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Genius.com Inc
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = NetOps
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.rsvp1.com
DNS.2 = *.pxy3.com
DNS.3 = *.pxy4.com
DNS.4 = *.netg1.com
DNS.5 = *.netg4.com
DNS.6 = *.gsv1.com
DNS.7 = *.gsv3.com
DNS.8 = *.rsvp3.com
DNS.9 = *.rsvp4.com
DNS.10 = *.rsvp5.com
DNS.11 = *.gns5.com
DNS.12 = *.genius-network.com
DNS.13 = *.genius-network2.com
DNS.14 = *.gotgenie.com
DNS.15 = *.rsvpgenius.com
DNS.16 = *.gotgenius.com
DNS.17 = *.salesgenius.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
https://docs.indymedia.org/view/Sysadmin/CaCertSsl#HTTP_multiple_domain_names
http://wiki.cacert.org/wiki/VhostsApache
http://wiki.cacert.org/wiki/VhostTaskForce#head-5868dc7fb125370f7ae8931cd77f03aeb966ad53