Here is a short summary of how I am managing my SSL certificates

  • Edit /etc/ssl/openssl.cnf and add a section for each separate certificate authority, e.g. CA_servers CA_clients, CA_vpn
  • Use a safe umask:
     umask 077
  • Generate a private key
    • an unencrypted key (no password needed)
      openssl genrsa -out key.pem 2048
    • an encrypted key (with a password)
      openssl genrsa -aes256 -out key.pem 2048
  • Create a certificate request:
    openssl req -new -key key.pem -out req.pem
  • Sign the certificate:
    openssl ca -name CA_vpn -in req.pem -out cert.pem
  • Optionally add specific extensions to the signed certificate:
    • Prepare a section in /etc/ssl/openssl.cnf like this:
      [ext_server]
      nsCertType = server, client
      
    • Modify the signing command like this:
      openssl ca -name CA_vpn -in req.pem -out cert.pem -extensions ext_server