Create a root certificate

All other certificates will be based off of this. Because we are not a commercial certificate authority, browsers will still complain when they use our secure site. However manually importing one of the files that will be created will make the site run just like any commercial sites.
To create, type:

$openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \ 
  -out cacert.pem -days 365 -config ./openssl.cnf

The two files that are created are cacert.pem, which is the one that can be imported in the browsers, and cakey.pem, which will be in the private directory.

Create a key and signing request

To create a key run the following commands:

$openssl req -new -nodes -out req.pem -config ./openssl.cnf

Among the information prompted for, the critical part is the Common Name. This must be the server’s hostname, such as mail.domain.name, or the IP address. To cover all subdomains *.your.domain can be used. Use the Orgainizational Unit to remind what the certificate is for, such as Web Server.
This will generate two files – key.pem, the private key, and req.pem, the signing request.

Sign the request

To generate the certificate, run the following commands.

$openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem

When creating the root certificate, a password is required. Two files are created – cert.pem, which is the certificate, and .pem, a copy of it in the certs directory.

Copy to the correct location

Copy the pem files to /etc/apache2/ssl:

$cp key.pem /etc/apache2/ssl
$cp cert.pem /etc/apache2/ssl

Edit ssl.conf

Make links in /etc/apache2/mods-enabled

$ln -s /etc/apache2/mods-available/ssl.conf ssl.conf
$ln -s /etc/apache2/mods-available/ssl.load ssl.load

Now edit /etc/apache2/mods-enabled/ssl.conf to contain the following lines.

Pages: 1 2