Table of Contents

How to use a private CA.




Creating a private certificate authority

To create a private CA

openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -sha256  -subj "/C=JP/ST=Tokyo/L=Shibuya-ku/O=Example, Inc./OU=IT/CN=example.com CA"


To create a certificate for your private CA

openssl x509 -signkey ca.key -days 7300 -req -in ca.csr -out ca.arm -sha256

10 years = 3650 days
20 years = 7300 days
30 years = 10950 days


How to Generate a private key and a certificate signing request (CSR).

openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key -sha256 -subj "/C=JP/ST=Tokyo/L=Shibuya-ku/O=Example, Inc./OU=IT/CN=example.com"


Sign the certificate signing request (CSR)

openssl x509 -req -days 7300 -in example.com.csr -CA ca.arm -CAkey ca.key -out example.com.crt -set_serial 01 -sha256


How to use the Key in Apache, Nginx etc

Nginx

/etc/nginx/conf.d/XXX.conf

server {
    listen 443 ssl;

    .....

    ssl on;
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_session_timeout 5m;
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    .....
}






Example




Reference