Author: Gregory Neil Shapiro
To make certificate authority:
mkdir CA cd CA mkdir certs crl newcerts private echo "01" > serial cp /dev/null index.txt cp /usr/local/openssl/openssl.cnf.sample openssl.cnf vi openssl.cnf (set values) openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnfTo make a new certificate:
cd CA (same directory created above) openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf(certificate and private key in file newreq.pem) To sign new certificate with certificate authority:
cd CA (same directory created above) openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem rm -f tmp.pem(newcert.pem contains signed certificate, newreq.pem still contains unsigned certificate and private key)
openssl x509 -in file.pem -noout -text
openssl s_client -CAfile /etc/ssl/ca.pem -connect ldap1.example.com:636
To create a private key using the triple des encryption standard (recommended), use the following command: openssl genrsa -des3 -out filename.key 1024 To create a private key without triple des encryption, use the following command: openssl genrsa -out filename.key 1024 To add a password to an existing private key, use the following command: openssl -in filename.key -des3 -out newfilename.key To remove a password from an existing private key, use the following command: openssl -in filename.key -out newfilename.key To create a self-signed certificate: openssl req -new -key filename.key -x509 -out filename.crt
After generating key, generate csr openssl req -new -key server.key -out server.csr