I wanted to create certificates but mostly you will find how to create Self-Signed Certificates but I want to create a Certificate Authority to sign them and just upload a single root certificate to the navigators in order to accept all.
The steps to do this are here.
Create a CA Root
mkdir CA
cd CA
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
Create a new CA private key
openssl genrsa -aes256 -out private/ca.key.pem 4096
Create a CA Certificate
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
Create an intermediate certificate authority (CA)
mkdir intermediate
cd intermediate
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
Create the intermediate private key
openssl genrsa -aes256 -out private/intermediate.key.pem 4096
Create the intermediate certificate
openssl req -sha256 -new -key private/intermediate.key.pem -out certs/intermediate.csr.pem
Sign the intermediate certificate with our Root Certificate
cd ..
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions v3_ca -notext -md sha256 -in intermediate/certs/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
To verify our last signed certificate
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
Create the certificate chain file concatenating the intermediate certificate and root certificate together
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
To verify intermediate signed certificates against the certificate chain
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pem
Create and sign SSL certificates when acting as a certificate authority (CA)
Create the new private key for the actual server certificate
cd intemediate
openssl genrsa -out private/www.example.com.key.pem 2048
chmod 400 private/www.example.com.key.pem
Create the CSR certificate for the Server
openssl req -sha256 -new -key private/www.example.com.key.pem -out certs/www.example.com.csr.pem
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in certs/www.example.com.csr.pem -out certs/www.example.com.cert.pem
At this point we have a useful certificate in order to use just put this settings into your virtual host configuration
The certificate is not trusted because no issuer chain was provided.
SSLEngine on
SSLCertificateFile /PATH_TO_CERT/www.example.com.cert.pem
SSLCertificateKeyFile /PATH_TO_KEY/www.example.com.key.pem
SSLCertificateChainFile /PATH_TO_CHAIN_CERT/ca-chain.cert.pem
NOTES:
Edit the /etc/ssl/openssl.conf configurations
Set the [ CA_default ] dir = ./
Uncomment the keyUsage line of [ v3_ca ]
Change the [ policy_match ] organizationName = optional
To remove the passphrase from a key
openssl rsa -in private.key.pem -out private.unsecure.key.pem
And that will be all.
Obtained from
dnetix blog 