1) openssl genrsa -des3 -out your.key 1024
2) openssl req -new -key your.key -out your.csr
3) openssl x509 -req -days 36500 -in your.csr -signkey your.key -out your.crt
4) cp your.key your.key.orig; openssl rsa -in your.key.orig -out your.key
What the commands do:
1) Rsa private key is generated. With this key all other certificates will be signed. “des3” means cipher method used. For other cipher methods, see openssl manual. “1024” means 1024-bit key.
2) The public key is generated (CSR means Certificate Signing Request). This should be sent to Certifying Authority, and they will convert it into real certificate. Fill out the form with information and remember to enter correct “Common name” – your full domain name.
3) But instead a self signed certificate will be created. Command is using x509 standart and issuing certificate for 36500 days (~100 years).
4) Most important part. Removing RSA encryption from private key file. From security viewpoint, it is dangerous, because this leaves initial keycode without password. However, if you want to use this certificate for Apache SSL on a standalone server (or you just don’t want to enter passwords everytime you start a computer), there is no other choice. If you leave your key unencrypted, everyone who get’s it can use it, so it is advised to use “chmod 400” on key file. If you leave your key encrypted, everytime computer boots, apache asks for key file password. On a standalone server in server room this means halt & administrator interference.