Creating and using your own certificate authority (CA)

Perform the following procedure to create and use your own certificate authority.

To create and use your own certificate authority

1. Access the \pw\ApacheGroup\Apache\bin directory.

2. Enter the following command to create a RSA private key for your CA (the RSA private key is Triple-DES encrypted and PEM formatted):

   genrsa -des3 -out ca.key 1024 

3. Back up the ca.keyfile and make a note of the pass-phrase you currently entered at a secure location. You can see details of this RSA private key by entering the following command:

   rsa -noout -text -in ca.key 

4. Enter the following command to create a self-signed CA certificate (X509 structure) with the RSA key of the CA (output is PEM formatted):

   req -new -x509 -days 365 -key ca.key -out ca.crt 

   
   You can see details of this certificate by entering the following command:

   $ \pw\ApacheGroup\Apache\bin x509 -noout -text -in ca.crt 

5. Prepare a script for signing.
   
   This script allows you to use the openssl ca command more easily.
   
   A script named sign.sh is distributed with apache mod_ssl. Use this script for signing. Now you can use this CA to sign server CSRs to create real SSL certificates for use inside an Apache Web server (if you already have a server.csravailable) by entering:

   $ \pw\ApacheGroup\Apache\bin\misc\sign.sh
   			 server.csr

   
   This signs the server CSR and results in a server.crt file.