Note that this is from a previous page I had that I’m republishing here as the machine that hosted that old page is now gone. There are some things that need to be clarified, but for now it is what it is.
Why become your own CA? Sure there are a lot of instructions out there that show you how to create self-signed certificates, but if you have a number of servers you’re doing this for, you’d have to give the certs out to those who want to use them for each and every service. This way you don’t. You only have to give them the public CA certificate and all of the certs you sign with your CA key will be acceptable to them. Besides, it’s fun for everyone involved.
# 1
# Create your CA signing key. Give it a passphrase. Common name should be
# your real name (not necessarily machine name; that's later).
openssl genrsa -des3 -out ca.key 2048
# 2
# Create a public certificate for this key
openssl req -new -x509 -days 1095 -key ca.key -out ca.crt
# 3
# Make a key for your first server
openssl genrsa -out www.key 2048
# 4
# Make a certificate signing request for your first server
openssl req -new -key www.key -out www.csr
# 5
# Sign the csr (which makes a new certificate)
sign.sh www.csr
Repeat steps 3 through 5 for each server for which you want to generate a key/cert. Note that some services expect the server cert and key to be in the same file (imap-uw, for one). In that case, just:
cat www.key >> www.crt
Replace the filenames with the files you’re using, of course. You may want to rename www.crt to something else that reminds you the key is in there (because you never want the key to get out to anyone else).
Always make sure that the key files stay private. Make them mode 600 (chmod 600 www.key), or even better, make them mode 600 and put them in a mode 700 directory. The ca.crt is what you give to people (post on your website, for example).
Now just configure the services to look at these new files and you’re good to go!
