- You are testing your new certificate handling utility, which is about to save the world soon.
- You want to generate new certificate `MyRootCert.pem`, install it as trusted root and sign another certificate `MyCert.pem` with it to get `MySignedCert.pem`
- You like dirty barbarian solutions which are simple enough to just work.
- And you use OpenSSL on Linux machine.
Here is what you do:
cd /etc/ssl/certs # or wherever the system store is
# Create certificate and private key
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout MyRootCertKey.pem \
# MAGIC: serial number, will be overwritten after signing other certificate
sudo echo "02" > MyRootCert.srl
# Create symlink
sudo ln -s MyRootCert.pem `openssl x509 -subject_hash -in MyRootCert.pem -noout`.0
# Keeping unencrypted private key together with the trusted certificate
# seems to be a big no-no. Done for testing only.
cd ~/test # or wherever you keep the certificate
# Sign certificate
sudo openssl x509 -in MyCert.pem -CA /etc/ssl/certs/MyRootCert.pem \
-CAkey /etc/ssl/certs/MyRootCertKey.pem -out MySignedCert.pem
Do not forget to remove created horror when testing period is finished. Read OpenSSL doc. And maybe use PERL scripts.