I have rolled this process into my Personal Infrastructure CA. https://gitlab.com/rmetcalf9/RJM_Personal_Infrastructure/tree/master/CA
Done in /etc/apache2/ssl
Create key: (We have one don't need to repeat)
openssl genrsa -out server.key 2048
??Does the common name have to match the host name??
See wget error
Create Sign Request:
openssl req -new -key server.key -out server.csr
country: GB
State or Province Name: UK
Locality Name (eg, city): London
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Robert Metcalf (metcarob)
Organizational Unit Name (eg, section) []: Personal website
Common Name (eg, YOUR name) []: *.metcarob.com
Email Address []: securitycert@metcarob.com
Optionals (Blank)
A challenge password []:
An optional company name []:
Sign the Key (Self sign)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.cert
Restart Apache
/etc/init.d/apache2 restart
Setup the ssl pass phrase
add a file wdke.sh to /etc/apache2/ssl
make it executable
make the apache user own it using chown and chgrp
make the world not able to see it
-
#!/bin/sh
-
echo "passphrase"
edit
/etc/apache2/httpd.conf (Now /etc/apache2/mods-enabled/ssl.conf)
Find a bit like the following
-
<IfModule mod_ssl.c>
-
# Pass Phrase Dialog:
-
# #SSLPassPhraseDialog builtin
-
SSLPassPhraseDialog exec:/etc/apache2/ssl/wdke.sh
-
</..>
Process used to generate ROOT auth signing
-
cd /etc/apache2/ssl/rootCA
-
openssl genrsa -out metcarob_root_auth.key 2048
-
openssl req -x509 -new -nodes -key metcarob_root_auth.key -days 2048 -out metcarob_root_auth.pem
-
country: GB
-
State or Province Name: UK
-
Locality Name (eg, city): London
-
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Robert Metcalf (metcarob)
-
Organizational Unit Name (eg, section) []: Root CA
-
Common Name (eg, YOUR name) []: Robert Metcalf
-
Email Address []: securitycert@metcarob.com
Repeat steps for every domain I sign with my rootCA
Domain matches SITE_NAME in my config
-
cd /etc/apache2/ssl
-
DOMAIN=download_mylinkedthings
-
openssl genrsa -out ${DOMAIN}.key 2048
-
openssl req -new -key ${DOMAIN}.key -out ${DOMAIN}.csr -subj "/C=GB/ST=UK/L=London/O=Robert Metcalf (metcarob)/CN=${DOMAIN}/emailAddress=securitycert@metcarob.com"
Produce signed cert (for 500 days)
-
openssl x509 -req -in ${DOMAIN}.csr -CA ./rootCA/metcarob_root_auth.pem -CAkey ./rootCA/metcarob_root_auth.key -CAcreateserial -out ${DOMAIN}.cert -days 500