If you're running your own server, your probably not shelling out $400 to get an "official" Certificate Authority to sign your key. Here's a quick not to myself about how to create and sign your own key. Depending on your application, you can use either the GnuTLS or OpenSSL toolchain.
GnuTLS
Following the GnuTLS manual, create a certificate
authority with certtool, adjusting the cn
as you see fit:
$ certtool --generate-privkey > x509-ca-key.pem
$ echo 'cn = GnuTLS test CA' > ca.tmpl
$ echo 'ca' >> ca.tmpl
$ echo 'cert_signing_key' >> ca.tmpl
$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
--template ca.tmpl --outfile x509-ca.pem
Now generate the unencrypted server key.
$ certtool --generate-privkey > x509-server-key.pem
And sign the key with your CA, adjusting the cn
as you see fit, and
changing dns_name
to match your fully qualified host name.
$ echo 'organization = GnuTLS test server' > server.tmpl
$ echo 'cn = test.gnutls.org' >> server.tmpl
$ echo 'tls_www_server' >> server.tmpl
$ echo 'encryption_key' >> server.tmpl
$ echo 'signing_key' >> server.tmpl
$ echo 'dns_name = test.gnutls.org' >> server.tmpl
$ certtool --generate-certificate --load-privkey x509-server-key.pem \
--load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
--template server.tmpl --outfile x509-server.pem
You can also print certificates with certtool.
$ certtool --infile x509-server.pem --certificate-info
OpenSSL
Use openssl's genpkey to generate an unencrypted key.
$ openssl genpkey -algorithm RSA -out key.pem
An unencrypted key is less secure, but it allows the web server to be
restarted (e.g. after rebooting) without you being there to enter the
decryption key. Make sure key.pem
is only readable by root
.
Use req to generate certificate signing request.
$ openssl req -new -key key.pem -out req.pem
-new
prompts you for new relevant field values. You can also
specify the values on the command line or in an configuration file
(override the default with -config filename
).
Use x509 to sign the certificate.
$ openssl x509 -req -days 365 -in req.pem -signkey key.pem -out cert.pem
You should keep your certificate signing request around so you can re-sign your key later on (since your initial signature will eventually expire).
You can also print certificates with x509.
$ openssl x509 -in cert.pem -noout -text