root@nazuha 22:08:49/001113(/home/makoto)# /usr/pkg/sbin/mkcert.sh -t custom -a RSA SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating custom certificate signed by own CA [CUSTOM] ______________________________________________________________________ STEP 1: Generating RSA private key for CA (1024 bit) [ca.key] 3478331 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...............................++++++ ............................................................++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request for CA [ca.csr] Using configuration from /tmp/.mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:JP 2. State or Province Name (full name) [Snake Desert]:Chiba 3. Locality Name (eg, city) [Snake Town]:Chiba 4. Organization Name (eg, company) [Snake Oil, Ltd]:www.ki.nu 5. Organizational Unit Name (eg, section) [Certificate Authority]:NetBSD 6. Common Name (eg, CA name) [Snake Oil CA]:macppc 7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:makoto@ki.nu 8. Certificate Validity (days) [365]: ______________________________________________________________________ STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/C=JP/ST=Chiba/L=Chiba/O=www.ki.nu/OU=NetBSD/CN=macppc/Email=makoto@ki.nu Getting Private key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature /usr/pkg/etc/httpd/ssl.crt/ca.crt: /C=JP/ST=Chiba/L=Chiba/O=www.ki.nu/OU=NetBSD/CN=macppc/Email=makoto@ki.nu error 18 at 0 depth lookup:self signed certificate OK ______________________________________________________________________ STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key] 3478331 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..........................++++++ ..................................++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 5: Generating X.509 certificate signing request for SERVER [server.csr] Using configuration from /tmp/.mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:JP 2. State or Province Name (full name) [Snake Desert]:Chiba 3. Locality Name (eg, city) [Snake Town]:Chiba 4. Organization Name (eg, company) [Snake Oil, Ltd]:www.ki.nu 5. Organizational Unit Name (eg, section) [Webserver Team]:NetBSD 6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.ki.nu 7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:makoto@ki.nu 8. Certificate Validity (days) [365]: ______________________________________________________________________ STEP 6: Generating X.509 certificate signed by own CA [server.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/C=JP/ST=Chiba/L=Chiba/O=www.ki.nu/OU=NetBSD/CN=www.ki.nu/Email=makoto@ki.nu Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature /usr/pkg/etc/httpd/ssl.crt/server.crt: OK ______________________________________________________________________ STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key] The contents of the ca.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: y read RSA key writing RSA key Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Fine, you're using an encrypted private key. ______________________________________________________________________ STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: read RSA key writing RSA key Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Fine, you're using an encrypted RSA private key. ______________________________________________________________________ RESULT: CA and Server Certification Files o /usr/pkg/etc/httpd/ssl.key/ca.key The PEM-encoded RSA private key file of the CA which you can use to sign other servers or clients. KEEP THIS FILE PRIVATE! o /usr/pkg/etc/httpd/ssl.crt/ca.crt The PEM-encoded X.509 certificate file of the CA which you use to sign other servers or clients. When you sign clients with it (for SSL client authentication) you can configure this file with the 'SSLCACertificateFile' directive. o /usr/pkg/etc/httpd/ssl.key/server.key The PEM-encoded RSA private key file of the server which you configure with the 'SSLCertificateKeyFile' directive (automatically done when you install via APACI). KEEP THIS FILE PRIVATE! o /usr/pkg/etc/httpd/ssl.crt/server.crt The PEM-encoded X.509 certificate file of the server which you configure with the 'SSLCertificateFile' directive (automatically done when you install via APACI). o /usr/pkg/etc/httpd/ssl.csr/server.csr The PEM-encoded X.509 certificate signing request of the server file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our own CA) which later can replace the /usr/pkg/etc/httpd/ssl.crt/server.crt file. Congratulations that you establish your server with real certificates. root@nazuha 22:11:06/001113(/home/makoto)#