#pragma section-numbers off

This is the page of the MemberManual that describes how to generate a valid SSL cert.

[[TableOfContents]]

== Making a cert for use with Domtool ==

If you are creating an SSL certificate to use for a web virtual host via DomTool, then you should generate a single output file instead of separate `.crt` and `.key` files.

Here is an example.  '''DAYS''' indicates the number of days that you want the certificate to be valid.  '''FILE''' is the filename of the certificate that will be generated: it should end in ".pem".  The certificate should be placed somewhere in your home directory, like "~/certs", for example.

{{{
openssl req -x509 -newkey rsa:1024 -keyout FILE -out FILE -days DAYS -nodes
}}}

Here is an explanation of the parameters that you will be asked to provide.  Replace '''yourdomain.org''' with your domain name.

 * '''Country'''/'''State'''/'''Locality''': These are self-explanatory.
 * '''Organization Name''': This can be anything you want.  It is often the full name or description of your organization or website.
 * '''Organizational Unit''': This can be anything you want.  It can be left blank.
 * '''Common Name''': This is the domain that goes with the certificate.  It can be either a single name (i.e. "yourdomain.org"), or a wildcard domain (like "*.yourdomain.org").  The wildcard domain is used for sharing the same certificate in multiple subdomains of your domain.
 * '''Email Address''': A valid email address.  People often use '''ca@yourdomain.org'''.

This file should be readable only by you and your ".daemon" alter ego, so be sure to set permissions properly on the directory where you store the certificate.

== Making a self-signed cert ==

To create a self-signed SSL cerificate in `file.crt` with key in `file.key`, you can run:

{{{
openssl req -x509 -newkey rsa:1024 -keyout file.key -out file.crt -days 9999 -nodes
}}}