SSL Certs

There are two ways to make SSL key files without giving anyone money. The easy way is to not use a certificate authority. Do this for each certificate:

umask 077
openssl genrsa -des3 -out whatever.com.key -passout pass:asdf 2048
openssl rsa -in whatever.com.key -out whatever.com.key -passin pass:asdf
openssl req -new -x509 -days 3650 -key whatever.com.key -out whatever.com.crt

If you don't have a CA file, do this: (the files must be named ca.* for sign.sh)

umask 077
openssl genrsa -des3 -out ca.key -passout pass:asdf 2048
openssl rsa -in ca.key -out ca.key -passin pass:asdf
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Then do this for each certificate:

umask 077
openssl genrsa -des3 -out whatever.com.key -passout pass:asdf 2048
openssl rsa -in whatever.com.key -out whatever.com.key -passin pass:asdf
openssl req -new -key whatever.com.key -out whatever.com.csr
./sign.sh whatever.com.csr

Notes:

• Just leave all the prompted fields blank except set the Common Name to the hostname.
• If you set the Common Name to *.whatever.com, it will work for all subdomains.
• If you set the Common Name to *, it experimentally works for all names (I haven't tested this on many browsers)
• Each SSL certificate must have its own listening socket (IP-address and port), since the server cannot know the hostname before it begins encrypting.
• New certificates must have a password, and that's why the second command is there to remove the password.
• sign.sh uses ca.key and ca.crt to sign the specified csr. This generates a crt file.
• Copy *.key and *.crt to a directory like etc/apache/certs and point httpd.conf to them.
• mod_ssl faq: http://www.modssl.org/docs/2.8/ssl_faq.html
• You may want to modify sign.sh to use 3650 days instead of 365.
• Useful script http://www.defcon1.org/html/Software_Articles/Direct-X/VNC-Server/CVS-Server/postfix-smtp.html