Requiements:

• openssl

Generate CA

1. Generate RSA key (I used 2048, but you can use 1024, which I think is the default, or a stronger, like 2048, 4096)
   openssl genrsa -des3 -out my-ca.key 2048
2. Generate CA (for 3650 days=10 years)
   openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
3. Print CA
   openssl x509 -in my-ca.crt -text -noout

Certificate for server

1. Server Admin
2. Generate key for server(key size is 1024, but you can use stronger)
   openssl genrsa -des3 -out server.key 1024
3. Request certificate (Common name must by a fully qualified domain name of server)
   openssl req -new -key server.key -out server.csr
4. CA Admin
5. Sign certificate
   openssl x509 -req -in server.csr -out server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
6. Print certificate
   openssl x509 -in server.crt -text -noout
7. Server Admin
8. Decrypt key (Usefull, if you don’t want to enter this password at each start/restart of some applications for ex. apache)
   openssl rsa -in server.key -out server.key.unencrypted

Personal certificate

1. User
2. Generate key (I used 1024 bits)
   openssl genrsa -des3 -out c.key 1024
3. Create the request
   openssl req -new -key c.key -out c.csr
4. CA Admin
5. Sign the certificate
   openssl x509 -req -in c.csr -out c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
6. Convert certificate to pkcs12 format (Importable to windows)
   openssl pkcs12 -export -in c.crt -inkey c.key -name “Bla Bla Bla” -out c.p12
7. Print info about key
   openssl pkcs12 -in c.p12 -clcerts -nokeys -infoecho export password is needed only for end-user
   echo security device master password – dont forget! – on users comp