Sunday, July 4, 2010

Self-Signed SSL Certificates

So you'd think there are enough blog posts about this already. Well, think again, since this particular summary is what actually ended up working for me. Obviously your mileage may vary.

  1. openssl genrsa 1024 > host.key
  2. openssl req -new -key host.key -out host.csr
  3. openssl x509 -req -days 730 -in host.csr -signkey host.key -out host.crt

Of course that's what everybody has, so why write about this? Three reasons:

  • Make sure you chmod 400 host.key since you don't want anybody to see that.
  • Using lighttpd? Do a cat host.key host.crt > host.pem and chmod 400 that as well.
  • The "Common Name" you have to enter in step 2. If you have various subdomains like www.example.com and mail.example.com and so on, you don't want to enter "example.com" here. Instead you'd enter something globtastic like "*.example.com". But wait, that doesn't match just plain example.com anymore! Better use "*example.com" and wow, that actually works.

An Internet. Wow! It's so pretty... Who would've thunk? :-D

No comments:

Post a Comment