At first install OpenSSL in your windows machine.
Several files related to your your SSL certificate will be created in this section, so choose a common base name to use. In my examples I use "
blarg
", which I've italicised to show it should be replaced by your choice. In practice, I recommend extracting the essence from your domain name; for example, if I was creating a certificate for https://www.neilstuff.com/ then I'd use "
neilstuff
".
Open up a command prompt and go to the directory where you unzipped OpenSSL and run the following command to create a new certificate request:
openssl req -config openssl.cnf -new -out blarg.csr -keyout blarg.pem
You'll be prompted to answer many questions, which ones depend on your openssl.cnf
file; all except two of these can be left blank:
- PEM pass phrase: Password associated with the private key (
blarg.pem
) you're generating. Since we'll be removing this for the benefit of Apache 2.0.X, I suggest using something like "none" or "password".
- Common Name: The fully-qualified domain name associated with this certificate. In my example, I use
www.blarg.com
which means I damn well better use that certificate on https://www.blarg.com/
. For personal security, testing, or intranets it's okay for this to not quite match -- just be prepared to deal with warnings from web browsers and such.
Now it's time to create a non-password protected key for Apache 2.0.X by executing the following:
openssl rsa -in blarg.pem -out blarg.key
The only thing you'll be asked is the password you had used. Your resulting KEY
file is essential the same thing as the PEM
, just not password protected.
Before we go on, delete the .rnd
file. This contains entropy information which could be used by malicious people to try and crack your certificate later on (if they get a hold of it).
Finally, run the following command to create an
X.509 certificate, e.g. the kind of certificate that SSL likes to munch:
openssl x509 -in blarg.csr -out blarg.cert -req -signkey blarg.key -days 365
Congratulations, you've created a self-signed certificate! Keep the KEY
and CERT
files some place safe, we'll be using them soon.