====== howto create self-signed certificates ======

===== certificate authority =====

<code bash>
openssl genrsa -des3 -out private/ca.key 2048
openssl req -new -x509 -days 3650 -key private/ca.key -out certs/ca.crt
</code>


===== server certificate =====

<code bash>
SITE=example_com

cd /etc/ssl/
openssl genrsa -out $SITE.key 2048
openssl req -new -sha256 -key $SITE.key -out $SITE.csr
openssl ca -out $SITE.crt -infiles $SITE.csr

rm newcerts/<index>.pem
rm $SITE.csr
mv $SITE.key private/
mv $SITE.crt certs/
</code>

oder:
<code bash>
openssl req -new -sha256 -subj /CN=$SITE -newkey rsa:2048 -nodes -keyout $SITE.key -out $SITE.csr
</code>

self sign:
<code bash>
openssl x509 -req -days 3650 -in $SITE.csr -signkey $SITE.key -out $SITE.crt
</code>

httpd.conf:

<code>
SSLCertificateFile    /etc/ssl/certs/wildcard_30hopsmax_at.crt 
SSLCertificateKeyFile /etc/ssl/private/wildcard_30hopsmax_at.crt
</code>


===== CSR für CACert mit SubAltNames =====

http://wiki.cacert.org/VhostTaskForce#Shell_Script