How to create a bunch of certs. 1) First, declare yourself a root cert authority: Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out ca.key 1024 Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command $ openssl rsa -noout -text -in ca.key And you can create a decrypted PEM version (not recommended) of this private key via: $ openssl rsa -in ca.key -out ca.key.unsecure Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You can see the details of this Certificate via the command: $ openssl x509 -noout -text -in ca.crt 2) Make a server key. We are going to us ethe same server key of all out certs so we won't have one key file per domain. openssl genrsa -des3 -out server.key 1024 3) If you want, make unsecure (ie, no pass phrase) versions of these files $ openssl rsa -in server.key -out server.key.unsecure You end up with this: # d total 13 drwxrwx--- 3 root ca 1024 Mar 25 20:10 ./ drwxr-xr-x 22 root wheel 512 Feb 26 22:42 ../ drwxr-xr-x 2 root ca 512 Mar 25 19:39 ca.db.certs/ -rw-r--r-- 1 root ca 518 Mar 25 19:39 ca.db.index -rw-r--r-- 1 root ca 3 Mar 25 19:39 ca.db.serial -rw-r--r-- 1 root ca 887 Mar 25 19:25 ca.key -rw-r--r-- 1 root ca 963 Mar 25 19:25 ca.key.secure -rw-r--r-- 1 root ca 887 Mar 25 19:24 ca.key.unsecure -rw-r--r-- 1 root ca 891 Mar 25 20:08 server.key -rw-r--r-- 1 root ca 963 Mar 25 20:07 server.key.secure -rw-r--r-- 1 root ca 891 Mar 25 20:08 server.key.unsecure -rwxr-xr-x 1 root ca 1784 Mar 25 19:19 sign.sh* 4) Now go make CSR's for the domains you want certs for: $ openssl req -new -key server.key -out server.csr Where "server.csr" is replaced by the freal domain, ie example.com.csr 5) Nos sign 'em ./sign.sh example.com.csr You'll now have example.com.crt, just plug that into apache.conf and restart and you're done. |