How can I create and use my own Certificate Authority (CA)?
1. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command
$ openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this private key via:
$ openssl rsa -in ca.key -out ca.key.unsecure
2. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You can see the details of this Certificate via the command:
$ openssl x509 -noout -text -in ca.crt
3. Prepare a script for signing which is needed because the “openssl ca” command has some strange requirements and the default OpenSSL config doesn’t allow one easily to use “openssl ca” directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.
4. Now you can use this CA to sign server CSR’s in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):
$ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.