In the following sections we will encounter different types of files:
| ||Certificate file.|
| ||Certificate signing request. A file that you send to a Certificate Authority in order to get you certificate signed.|
| ||A private encryption key. Make sure that stays private!|
While you could always directly create the certificate it is smarter to create your own Certificate Authority first. This allows you to create multiple certificates while only needing to install the CA certificate on a client.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Now that you have your very own Certificate Authority you can use it to sign the server certificate.
DOMAIN=www.example.org openssl genrsa -des3 -out "$DOMAIN".secure.key 4096 openssl req -new -key "$DOMAIN".secure.key -out "$DOMAIN".csr openssl x509 -req -days 365 -in "$DOMAIN".csr -CA ca.crt -CAkey ca.key -set_serial 01 -out "$DOMAIN".crt
Since your server does not know the password to the private server key and you want the server to be able to start and stop without interaction, you need to remove the password from the server key.
openssl rsa -in "$DOMAIN".secure.key -out "$DOMAIN".key
Make all files accessible for only yourself.
chmod u=rw,go= *