To self-sign SSL certificates using openssl, you will need to set up your own certificate authority using the following steps.
Here is a Perl CGI script that will sign certificates from a browser.
- Generate a key for your certificate authority
openssl genrsa -des3 -out server.key 2048
- Remove the password from your server's key. This step is optional, but is required to get the below Perl script to work. Obviously you wouldn't do this to a real key that you had signed by a real certificate authority.
cp server.key server.key.org openssl rsa -in server.key.org -out server.key
- Generate a CSR for your certificate authority.
openssl req -new -nodes -key server.key -out server.csr
- Sign your certificate request
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- Now you can sign certificate requests. Here is an example for a CSR named test.csr
openssl x509 -req -days 365 -in test.csr -out test.crt -CA server.crt -CAkey server.key -set_serial 01
- Optional: Add your certificate authority to your browser so you don't get a certificate warning when visiting your test site.
Here is a Perl CGI script that will sign certificates from a browser.
#!/usr/bin/perl use CGI qw(:standard); print "Content-type: text/html\n\n"; unless (param('REST')) { print <<HTML; <html> <body> <form action="index.cgi" method=post> Put your Certificate Request here: <br/> <textarea name="csr" cols="65" rows="22"> </textarea> <br/> How long you want it for? <input type="text" name="days" value="365"> (days) <br/> <input type="submit" value="Sign It!"/> </form> HTML } if (param()) { my $csr = param('csr'); my $days = param('days'); $days =~ s/[^\d]//g; my $csr_file = "/full/path/to/a/directory/where/you/can/write/csr/files/" . $ENV{'REMOTE_ADDR'} . "." . $$ . "." . time() . ".csr"; my $crt_file = $csr_file; $crt_file =~ s/\.csr/\.crt/g; open CSR, ">", $csr_file or die $!; print CSR $csr; close CSR; `openssl x509 -req -days $days -in $csr_file -out $crt_file -CA /full/path/to/your/servers/crt/file/server.crt -CAkey /full/path/to/your/servers/key/file/server.key -set_serial 01`; print "<pre>\n" unless param('REST'); open CRT, "<", $crt_file or die $!; while (<CRT>) { print $_; } close CRT; print "\n\n</pre>\n" unless param('REST'); } print " </body> </html> " unless param('REST');
Comments
Post a Comment