Now I’ve got my server installed, how do I create a test certificate?

Step one – create the key and request:

  openssl req -new > server_cert.csr

Step two – remove the passphrase from the key (optional):

  openssl rsa -in privkey.pem -out server_cert.key

Step three – convert request into signed cert:

  openssl x509 -in server_cert.csr -out server_cert.cert -req -signkey server_cert.key -days 365

The Apache-SSL directives that you need to use the resulting cert are:

  SSLCertificateFile /path/to/certs/server_cert.cert
  SSLCertificateKeyFile /path/to/certs/server_cert.key

How do I create a client certificate?

Step one – create a CA certificate/key pair, as above (but only the first two steps)

  openssl req -new > client_cert.csr
  openssl rsa -in privkey.pem -out client_cert.key

Step two – sign the client request with the previous created CA key:

  openssl x509 -req -in client_cert.csr -out client_cert.cert -signkey server_cert.key -CA server_cert.cert -CAkey server_cert.key -CAcreateserial -days 365

Step three – issue the file ‘client_cert.cert’ to the requester.

The Apache-SSL directives that you need to validate against this cert are:

  SSLCACertificateFile /path/to/certs/server_cert.cert
  SSLVerifyClient 2
  SSLVerifyClient require

Create PKCS12 file for use in a webbrowser

  openssl pkcs12 -export -in client_cert.cert -inkey server_cert.key -out clientt.cert.p12