On Fri, Jun 15, 2007 17:14:55 PM -0700, Karl R. Balsmeier (karl at klxsystems.net) wrote: > # *openssl genrsa -out /etc/ssl/private/server.key 1024* > > # *openssl req -new -key /etc/ssl/private/server.key -out > /etc/ssl/private/server.csr* > > # *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \ > -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt* > Where should the -nodes option go with this approach? Only in the first command? Now, let's compare this with the one-command solution that Paul provided, please: > openssl req \ > -x509 -nodes -days 365 \ > -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ > -newkey rsa:1024 -keyout mycert.pem -out mycert.pem If I _am_ starting to figure this out, the only differences are that: - Paul passed all the options on the command line in -subj, Karl assumes they are in openssl.cnf - Karl places keys and certificate in _separate_ files (as I had originally asked), so he needs 3 commands instead of one: the first creates the key, the second an unsigned certificate in /etc/ssl/private/server.csr, the third signs that certificate with the key and puts the signed version in /etc/ssl/server.crt Is this explanation correct? Yes, I'm being verbose and I'm nitpicking, but since we all agreed there is no decent documentation on these basic issues (*), we can say we're writing it now, aren't we? Thanks again for your time and patience, Marco (*) For the record, I asked the same question on the openssl-users list before coming here, but am still waiting for any answer on that front... -- Help *everybody* love Free Standards and Free Software: http://digifreedom.net/node/73