You now have enough information to create and sign certificates on your own behalf. While this is a fairly long document, the procedure can be summarized easily.

One-Time Setup

Set up, and create a root CA certificate. Commands:

# mkdir CA 
# cd CA 
# mkdir newcerts private 
# echo '01' >serial 
# touch index.txt 
# (IMPORTANT: Install and edit the configuration file shown below.) 
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ 
-out cacert.pem -days 365 -config ./openssl.cnf 

Output :

• cacert.pem - CA certificate
• private/cakey.pem - CA private key

Distribute cacert.pem to your clients.

Per Certificate

Create certificate signing requests and sign them, supplying appropriate values for the Common Name and the Organizational Unit.

Commands :

openssl req -new -nodes -out req.pem -config ./openssl.cnf 
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem 
cat key.pem cert.pem >key-cert.pem 

Output :

• key.pem - Private key
• req.pem - Certificate signing request
• cert.pem - Certificate
• key-cert.pem - Combined private key and certificate

Install key.pem and cert.pem, or just key-cert.pem as appropriate for your server application.

Per Certificate - Renewal

Revoke the expired certificate, and re-sign the original request.

Commands :

openssl ca -revoke newcerts/.pem -config ./openssl.cnf 
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem 

Install the renewed certificates in the same manner as the original ones.

Configuration File

# 
# OpenSSL configuration file. 
# 

# Establish working directory. 

dir = . 

[ ca ] 
default_ca = CA_default 

[ CA_default ] 
serial = $dir/serial 
database = $dir/index.txt 
new_certs_dir = $dir/newcerts 
certificate = $dir/cacert.pem 
private_key = $dir/private/cakey.pem 
default_days = 365 
default_md = md5 
preserve = no 
email_in_dn = no 
nameopt = default_ca 
certopt = default_ca 
policy = policy_match 

[ policy_match ] 
countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 

[ req ] 
default_bits = 1024 # Size of keys 
default_keyfile = key.pem # name of generated keys 
default_md = md5 # message digest algorithm 
string_mask = nombstr # permitted characters 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 

[ req_distinguished_name ] 
# Variable name   Prompt string 
#----------------------   ---------------------------------- 
0.organizationName = Organization Name (company) 
organizationalUnitName = Organizational Unit Name (department, division) 
emailAddress = Email Address 
emailAddress_max = 40 
localityName = Locality Name (city, district) 
stateOrProvinceName = State or Province Name (full name) 
countryName = Country Name (2 letter code) 
countryName_min = 2 
countryName_max = 2 
commonName = Common Name (hostname, IP, or your name) 
commonName_max = 64 

# Default values for the above, for consistency and less typing. 
# Variable name   Value 
#------------------------------   ------------------------------ 
0.organizationName_default = The Sample Company 
localityName_default = Metropolis 
stateOrProvinceName_default = New York 
countryName_default = US 

[ v3_ca ] 
basicConstraints = CA:TRUE 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid:always,issuer:always 

[ v3_req ] 
basicConstraints = CA:FALSE 
subjectKeyIdentifier = hash