There are two ways to go about creating certificates. You can create a single certificate for easy usage or you can get more complicated and create your own Certificate Authority, so you can sign your certificates for intranet purposes (i.e. you want to generate certificates for other people in your organization with your signature).
NOTE: This assumes you are using linux. If you are a Windows user, then you'll need to use '-config "C:\opensslDIRNAMEHER\openssl.conf"' in your openssl req command.
Creating your Certificate Authority (CA)
Skip this section if you don't want a CA. It takes extra work to manage this guy.
First off, you shouldn't need this if you don't have multiple servers/clients where you want to sign certificates on behalf of an organization. In this section, we'll generate a CA and a server certificate signed by the CA and the server private key.
UPDATE: I used to have some steps, but now I recommend visiting the below link.
Follow the steps here instead: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
Straightfoward approach
Create a directory called EX_CA (or whatever you want).
Create subdirectories: private, newcerts, certs, crl
Copy openssl.conf into EX_CA.
Create two files in EX_CA: index.txt and serial (put 01 in serial)
Make sure you are in the root directory (EX_CA). Generate the certificate and key for the authority.
openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825
Now we need to modify the config we just copied. Refer to the link above.
Create a certificate signing request
openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365
Sign the certificate
openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
Delete the certificate signing request file and we are done.
Creating a Self Signed Certificate
For a self signed certificate, we first want to generate a private key to sign the certificate against.
openssl genrsa -des3 -out normsoven.key 4096
Then we'll want to request a new certificate signing request with the private key. You may repeat this step to generate multiple certificates with the same key.
openssl req -new -nodes -key normsoven.key -out normsoven.csr
Now you'll want to generate a certificate from your signing request for consumption of about 3 years.
openssl x509 -req -days 1001 -in normsoven.csr -signkey normsoven.key -out normsoven.crt
- Make sure when you are asked for the common name that you put the domain name/name of virtual host.
Done!
Strip Password from Private Key
Now, we want to strip the private key of the password you had to add because your web server is likely to complain about it.
openssl rsa -in normsoven.key -out normsoven.key.insecure
mv normsoven.key normsoven.key.secure
mv normsoven.key.insecure normsoven.key
Apache Config
At this point, I'm going to use Apache Web Server as an example of attaching your certificate. If you are a Windows user, you have an httpd-ssl.conf in your conf/extra folder for an example of how to enable SSL. Anyway, here are variables you want to focus on in the httpd.conf or your virtual host config file:
ServerName normsoven
SSLCertificateFile "path/to/certdir/normsoven.crt"
SSLCertificateKeyFile "path/to/keydir/normsoven.key"
NOTE: Make sure your keys and certificates are not contained anywhere inside your document root. Chaos and madness will ensue if you decide to use this in a production server because you didn't want to pay for one from a trusted authority.
Read more here: Creating Certificate Authorities and self-signed SSL certificates <-- Amazing source!