ca-howto.html

The location of CA.pl is /usr/lib/ssl/misc/CA.pl
The location of openssl.cnf is /etc/ssl/openssl.cnf
#cd /etc/ssl
#mkdir private
#mkdir newcerts

To create a certification authority, use the command after correctly editing openssl.cnf
#CA.pl -newca

Create a Root Certification Authority Certificate
#openssl req -config /etc/ssl/openssl.cnf -new -x509 -keyout private/cakey.pem \
-out cacert.pem -days 3650

Now ensure that the file index.txt is empty and that the file serial contains 01

Install the CA root certificate as a Trusted Root Certificate
#openssl x509 -in cacert.pem -out cacert.crt
Place this file on your web site as http://mysite.com/ssl/cacert.crt
#vi /etc/apache/conf/mime.types
application/x-x509-ca-cert cct cert der

Generate and Sign a certificate request
#CA.pl -newreq
creates a new private key and a certificate request and place it as newreq.pem
#CA.pl -sign
will sign the request using the cacert.pem and commit the certificate as newcert.pem

For IIS rename certreq.txt to newreq.pem and copy to /etc/ssl
run #CA.pl -sign


A copy of newcert.pem is placed in newcerts/ with an adequate entry in index.txt so that a client can request this information via a web server to ensure the authenticity of the certificate
Beware of your newreq.pem file, because it contains a certificate request, but also your private key. The -PRIVATE KEY- section is not required when you sign it. So if you request someone else to sign your certificate request, ensure that you have removed the -PRIVATE KEY- section from the file. If you sign someone else certificate request, request from this person its -CERTIFICATE REQUEST- section not its private key.

Revoke a certificate
#openssl -revoke newcert.pem
The database is updated and the certificate is marked as revoked. You now need to generate the new revoked list of certificates.
#openssl ca -gencrl -config /etc/ssl/openssl.cnf -out crl/sopac-ca.crl

Display a certificate
#openssl x509 -in newcert.pem -noout -text

Index.txt file
In the index.txt file you can find the various certificate managed by OpenSSL. The entries are maked with R for Revoked, V for Valid and E for expired.
=======================================================

Using a certificate with mod_ssl in apache

First never use your self-signed root CA Certificate with any application and especially with apache as it requires you to remove the passphrase on your private key.

First generate and sign a certificate request with the Common Name (CN) as www.mysite.com. Remove any extra information to keep only the ---CERTIFCATE --- part.

The key needs to be made insecure, so no password is required when reading the private key. Take the newreq.pem files that contains your private key and remove the passphrase from it.

openssl rsa -in newreq.pem -out wwwkeyunsecure.pem

Because the key (PRIVATE Key) is insecure, you must know what you are doing: check file permissions, etc... If someone gets its hand on it, your site is compromised (you have been warned). Now you can use the newcert and cakeyunsecure.pem for apache.

Copy wwwkeyunsecure.pem and newcert.pem in the directory /etc/httpd/conf/ssl/ as wwwkeyunsecure.pem and wwwcert.crt respectively.

Edit /etc/httpd/conf/ssl/ssl.default-vhost.conf.

----
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time.
#SSLCertificateFile conf/ssl/ca.crt
SSLCertificateFile wwwcert.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file.
#SSLCertificateKeyFile conf/ssl/ca.key.unsecure
SSLCertificateKeyFile wwwkeyunsecure.pem
----

Stop and start httpd (/etc/rc.d/init.d/httpd stop) ensure that all processes are dead (killall httpd) and start httpd (/etc/rc.d/init.d/httpd start)