Certificate Authority & SSL Certificates

Preface

These instructions have been pulled from multiple sources on the internet and represent my attempt to create a consolidated list of steps for myself. 

Install OpenSSL

This installation of OpenSSL is optional because it's already included with the basic install of FreeBSD.  In the event you actually want to install OpenSSL instead of using the OS included version then perform the following:

cd /usr/ports/security/openssl
make install
make clean

Create your Server Certificate

The first step will be to create a safe place to perform our work, which for the purpose of this tutorial I'll be using /root/CA and securing it for only the root user.

su - root
cd /root
mkdir CA
chmod 700 CA
cd CA

Next we'll create the actual server key file, during this process you'll be prompted for a password (remember it!).

openssl genrsa -des3 -out server.key 1024

Time to remove the pass for some applications (ie; Apache) so we're not prompted to enter it at the console:

openssl rsa -in server.key -out server.pem

Now if you were wondering, this is why the directory is only accessable by root!  The server.pem file must be protected since it'll be used to sign our future certificates.

Generate our SSL Certificate

Before we generate our certificate we need to create a certificate request

openssl req -new -key server.pem -out server.csr

You will be prompted for details about the certificate, below is an example.  Keep in mind that "YOUR name" could be a server (www or mail) and might not be a person!  In this example I'm creating a certificate for our web server.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:North Carolina
Locality Name (eg, city) []:Huntersville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KingsQuarry
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.kingsquarry.net
Email Address []:(your eMail address)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl x509 -req -days 1096 -in server.csr -signkey server.pem -out server.crt

Note:  The "-days" represents the expiration date for the certificate, in this instance it's basically three years, if not supplied it will default to 30 days.