These instructions assume you are running as user `domtool` on `deleuze.hcoop.net`. = Creating a certificate authority = I followed the instructions on this page: http://sial.org/howto/openssl/ca/ This blog post revealed the source of a puzzling error: http://ilovett.com/blog/projects/debian-apache-ssl It turns out leaving some fields (like the city name for your new certificate) blank leads to baffling messages! Extracting the relevant commands from the Makefile available at the former page, we run these commands to create our CA: {{{mkdir crl newcerts private chmod go-rwx private echo '01' > serial touch index # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM}}} Now the directory structure of our CA exists, and we have the certificate we will use to sign certificates. = Creating a certificate for a node or user = I followed the instructions on this page: http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2 The commands to run are: {{{openssl req -new -keyout serverkey.pem -out newreq.pem -days 365 cat newreq.pem serverkey.pem > new.pem openssl -config /etc/domtool/openssl.cfg ca -policy policy_anything -out servercert.pem -infiles new.pem}}} replacing `serverkey.pem` and `servercert.pem` with appropriate names for your new key and certificate, respectively. The change I made from [http://marc.theaimsgroup.com/?l=openssl-users&m=97049654211960&w=2 the cited source] is to include the `-config` flag to reference the modified config file obtained from [http://sial.org/howto/openssl/ca/ the page about creating a CA]. Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.