In "18.9.3. Creating Certificates", ------------------------------------------------------------------ To create a server certificate whose identity can be validated by clients, first create a certificate signing request (CSR) and a public/private key file:
openssl req -new -nodes -text -out root.csr \ -keyout root.key -subj "/CN=root.yourdomain.com" chmod og-rwx root.key Then, sign the request with the key to create a root certificate authority (using the default OpenSSL configuration file location on Linux): openssl x509 -req -in root.csr -text -days 3650 \ -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ -signkey root.key -out root.crt ------------------------------------------------------------------ For me it seesm the two-step procedure can be replaced with following one command: openssl req -new -x509 -nodes -text -days 3650 \ -config /etc/ssl/openssl.cnf -extensions v3_ca \ -out root.crt -keyout root.key -subj "/CN=root.yourdomain.com" Is there any reaon why our doc recommend the two-step procedure? Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp
