This is a thing I need to do from time to time and I never remember, how to do it. That means that I need to use more permanent type of memory than the one I've got built in my own head. And this five-step howto will hopefully do.
cizmar@mysak:/tmp$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ .............................++++++ e is 65537 (0x10001)
This creates the private key, no other parameters are necessary, however, tweak it if you want another type of the cipher or another length of the key.
cizmar@mysak:/tmp$ openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Maryland Locality Name (eg, city) :Germantown Organization Name (eg, company) [Internet Widgits Pty Ltd]:Petr Cizmar Organizational Unit Name (eg, section) :IT Common Name (eg, YOUR name) :server.cizmar.org Email Address :my_address(at)mailinator.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
This step requires you to fill in a little form, my answers are used as an example. If the password is required (which I believe depends on the version of the SSL toolkit or the command-line parameters), continue to the next step, otherwise go over to step 4.
cizmar@mysak:/tmp$ cp server.key server.key.org cizmar@mysak:/tmp$ openssl rsa -in server.key.org -out server.key writing RSA key
Remove the pass-phrase from the key so Apache (for example) doesn't ask for the password every time it's started.
cizmar@mysak:/tmp$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=Maryland/L=Germantown/O=Petr Cizmar/OU=IT/CN=server.cizmar.org/emailAddress=my_address(at)mailinator.com Getting Private key
Easy peasy, no parameters needed.
Now, we've got the certificate.Copy the obtaind files somewhere, where it makes sense, like server.crt to /etc/ssl/certs and server.key to /etc/ssl/private. Then point the apache, dovecot, or whatever configuration files you need to them.