[CentOS] which commands do you use to SSL certify your own server?

Sat Jun 16 09:08:45 UTC 2007
M. Fioretti <mfioretti at mclink.it>

On Fri, Jun 15, 2007 17:14:55 PM -0700, Karl R. Balsmeier
(karl at klxsystems.net) wrote:

>    # *openssl genrsa -out /etc/ssl/private/server.key 1024*
> 
>    # *openssl req -new -key /etc/ssl/private/server.key -out 
>    /etc/ssl/private/server.csr*
> 
>    # *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
>           -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt* 
> 

Where should the -nodes option go with this approach? Only in the
first command?

Now, let's compare this with the one-command solution that Paul
provided, please:

> openssl req \
>  -x509 -nodes -days 365 \
>  -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
>  -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

If I _am_ starting to figure this out, the only differences are that:

- Paul passed all the options on the command line in -subj, Karl assumes
  they are in openssl.cnf

- Karl places keys and certificate in _separate_ files (as I had
  originally asked), so he needs 3 commands instead of one: the first
  creates the key, the second an unsigned certificate in
  /etc/ssl/private/server.csr, the third signs that certificate with
  the key and puts the signed version in /etc/ssl/server.crt

Is this explanation correct?

Yes, I'm being verbose and I'm nitpicking, but since we all agreed
there is no decent documentation on these basic issues (*), we can say
we're writing it now, aren't we?

Thanks again for your time and patience,

	Marco

(*) For the record, I asked the same question on the openssl-users
list before coming here, but am still waiting for any answer on that
front...

-- 
Help *everybody* love Free Standards and Free Software:
http://digifreedom.net/node/73