In order to run a secure (SSL/TLS encrypted) service, you have to have a private key and a certificate for the server. For Intranet or special-purpose uses, you can be your own Certificate Authority (CA). This is accomplished with standard OpenSSL tools.

First, we will make a new directory for working with the certificates and keys:

[root]# mkdir /root/CA
[root]# chmod 0700 /root/CA
[root]# cd /root/CA

Now, we will make a private CA key and a private CA X.509 certificate:

[root]# openssl genrsa -des3 -out my-ca.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................+++
...................................................+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

[root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Kentucky
Locality Name (eg, city) [Newbury]:Fayette County
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server's hostname) []:VanEmery.Com CA
Email Address []:[email protected]

The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime.

This command lets you view the completed certificate:

[root]# openssl x509 -in my-ca.crt -text -noout

Now that you are done, please read and heed the following: