I followed the instructions on this page:
This blog post revealed the source of a puzzling error:
It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages!
Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA:
mkdir -p /etc/domtool/ca cd /etc/domtool/ca mkdir crl newcerts private chmod go-rwx private echo '01' > serial touch index cd .. # NOTE remove ":2048" below if running OpenSSL lower than 0.9.8a openssl req -nodes -config openssl.conf -days 1825 -x509 -newkey rsa:2048 -out ca/ca-cert.pem -outform PEM
(NOTE: remove the "o" from all openssl.conf when running all commands (above and below); I used .conf just because wiki anti-spam methods do not allow .c-n-f (no comment)).
Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates.
After creating the CA, dump its certificate to DomTool's trust store (see trustStore configuration value for the location). If you are creating a new CA (e.g. the domtool CA was compromised, or the private key otherwise leaked or destroyed) make sure to remove the invalid CA certificate from this file.
cat /etc/domtool/ca/ca-cert.pem >> ${LOCATION OF TRUST STORE}