certificates

From: http://www.tc.umn.edu/~brams006/selfsign.html

Complete this section if you do NOT want to make a CA (Certificate Authority).

Some steps in this document require priviledged access, and you'll want to limit access to the cert files to all but the root user. So you should su to root and create a working directory that only root has read/write access to (for example: mkdir certwork, chmod 600 certwork). Go to that directory.

1. Generate a server key:

   openssl genrsa -des3 -out server.key 4096

2. Then create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that “Common Name (eg, YOUR name)” matches the registered fully qualified domain name of your box (or your IP address if you don't have one). I also suggest not making a challenge password at this point, since it'll just mean more typing for you.
   The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you've got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, just execute the command below and type what needs to be typed:

   openssl req -new -key server.key -out server.csr

3. Now sign the certificate signing request. This example lasts 365 days:

   openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. Make a version of the server.key which doesn't need a password:

   openssl rsa -in server.key -out server.key.insecure
   mv server.key server.key.secure
   mv server.key.insecure server.key

5. These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.