(http://pintday.org/hack/crypto/ca.shtml)

Throughout this section, wherever you see 2048, that can be replaced with any bit count, though a power of two is preferred (e.g. 1024, 2048, etc) as most code is optimized to operate quickly on bit-aligned numbers. The higher the better, 2048 is usually the best balance between speed and security at the moment.


RSA key handling

openssl genrsa -out server.key 2048
openssl genrsa -des|-des3|-aes128|-aes192|-aes256 -out server.key 2048
openssl rsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
openssl rsa -in server.key server-decrypted.key

DSA Key Handling

openssl dsaparam -out dsaparm.prm 2048
openssl gendsa -out server.key dsaparm.prm
openssl gendsa -des|-des3|-aes128|-aes192|-aes256 -out server.key dsaparm.prm
openssl dsa -in server.key -des|-des3|-aes128|-aes192|-aes256 -out server-encrpyted.key
openssl dsa -in server.key server-decrypted.key

Certificate Handling

openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
openssl req -config ca.conf -days 3650 -x509 -newkey rsa:8192 -out certauth.crt -outform PEM

Make sure you set up a proper path structure and root_ca_distinguished_name in ca.conf beforehand, or else strange things may occur.

openssl req -new -key server.key -out server.csr
openssl ca -config ca.conf -in server.csr -out server.crt (-extensions <policy>)
cat server.key server.crt > server.pem
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
# create the serial file
echo "00" > serial
# create the index file
touch index.txt
# create and secure the CA private key subdir -- Put the CA private key in here.
mkdir private && chmod 700 private
# create the hashdir to hold all the certificates signed by this CA (for recovery and revocation purposes)
mkdir certs

Certificate Revocation Lists (CRLs)

openssl ca -config ca.conf -revoke client.crt
openssl ca -config ca.conf -gencrl -out ca.crl

Makefiles for Apache hash directories
Makefile.crt
Makefile.crl

Makefile for CA batch signing and CSR generation
Makefile

Another ca.conf

Sample ca.conf:

#
# Default configuration to use  when one
# is not provided on the command line.
#
[ ca ]
default_ca      = local_ca

#
# Default location  of  directories  and
# files needed to generate certificates.
#
[ local_ca ]
dir             = /usr/www/CertAuth
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/certs
private_key     = $dir/private/cakey.pem
serial          = $dir/serial

#
# Default   expiration   and  encryption
# policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = md5

policy          = local_ca_policy
x509_extensions = local_ca_extensions

#
# Default policy to use  when generating
# server   certificates.  The  following
# fields  must  be defined in the server
# certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = optional

#
# x509 extensions to use when generating
# server certificates.
#
[ local_ca_extensions ]
#subjectAltName          = DNS:altname.somewhere.com
basicConstraints        = CA:false
nsCertType              = server

#
# The   default   policy   to  use  when
# generating the root certificate.
#
[ req ]
default_bits    = 2048
default_keyfile = /usr/www/CertAuth/privkey.pem
default_md      = md5

prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

#
# Root  Certificate  Authority   distin-
# guished name.  Changes these fields to
# your local environment.
#
[ root_ca_distinguished_name ]
commonName              = CyberLeo.Net
stateOrProvinceName     = Wisconsin
countryName             = US
emailAddress            = cyberleo@cyberleo.net
organizationName        = CyberLeo.Net

[ root_ca_extensions ]
basicConstraints        = CA:true

[ protomuck ]
basicConstraints        = CA:false
nsCertType              = server

[ server ]
basicConstraints        = CA:false
nsCertType              = server

[ client ]
basicConstraints        = CA:false
nsCertType              = client

PHP Warning

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead:"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead"

Warning: "preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead:"