#--- Note, I that I am entering the machine name (pse.ccl.net) as common name #--- This produces certificates which are valid for 365 days. If you want #--- Longer lasting certificates, edit Makefile and replace 365 with the #--- number of days you want. I usually put 1000 days, since I do not really #--- serve hash staff, and the whole certificate stuff is just to protect #--- privacy. But id you do something which really needs to be encrypted, #--- then you do not do this stuff, but get a real certificate from #--- the real certificate agency (Check your browser for the ones which #--- your browser recognizes as CAs.). # mkdir old-keys # mv ssl* old-keys # mkdir ssl.key # mkdir ssl.csr # mkdir ssl.crt # -- make the private/public key pair # make genkey umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key Generating RSA private key, 1024 bit long modulus .........................++++++ ................++++++ e is ababab (0x122434) Enter PEM pass phrase: # I entered some password!!! Verifying password - Enter PEM pass phrase: # -- this is to remove password from the private/public key # -- since otherwise, you would have to enter at boot time. # openssl rsa -in ssl.key/server.key -out ssl.key/server.key.unsecure read RSA key Enter PEM pass phrase: writing RSA key # -- copy the "unpassworded" {:-)} key over the encrypted one. # cp ssl.key/server.key.unsecure ssl.key/server.key cp: overwrite `ssl.key/server.key'? y # -- produce certificate request (i.e., the thing which you will sign). # make certreq umask 77 ; \ /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr Using configuration from /usr/share/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Columbus Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC Organizational Unit Name (eg, section) []:Science Common Name (eg, your name or your server's hostname) []:pse.ccl.net Email Address []:jkl@ccl.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # -- produce the Certificate Authority Certificate, and sign your # -- certificate from above with it. # make testcert umask 77 ; \ /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt Using configuration from /usr/share/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Columbus Organization Name (eg, company) [Internet Widgits Pty Ltd]:OSC Organizational Unit Name (eg, section) []:Science Common Name (eg, your name or your server's hostname) []:pse.ccl.net Email Address []:jkl@ccl.net