Installing

Prerequisites

In order to create your own SSL certificate, you'll need OpenSSL installed on your machine.

Creating a Certificate Authority

Typically, a company will pay hundreds or thousands of dollars to a Certificate Authority, and in return that company's website will be granted an "official" signed SSL Certificate.

A signed SSL Certificate means the SSL Certificate is trusted by an authority. This makes it possible to make secure connections between a user and a server.

To create a new CA:

$ /usr/local/ssl/misc/CA.pl -newca
</syntaxhighglight>

If you want to go back and change information about the key (e.g. you wanted to change the number of days it will be valid), you can run:

<syntaxhighlight>
$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem
$ cp cacert.pem demoCA

Generating the Server Certificate

This creates a certificate for your server, which is signed by the CA authority (normally someone like Verisign, but in this case YOU).

The "-nodes" option prevents the pass phase from being required at each reboot.

$ openssl req -new -nodes \
  -subj '/CN=mydomain.com/O=Blah blah blah/C=US/ST=State/L=Place/emailAddress=username@somewhere.com' \
  -keyout FOO-key.pem -out FOO-req.pem -days 3650

Note above that "/0=Blah blah blah" must match the name given in the the origional CA. For example, "/0=blahblahblah." will not work. It must be exact.

Signing the Server Certificate

Once you've created the server certificate, it's time to sign it using the certificate authority power, which we granted ourselves.

$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem