openssl generate key

# ref: http://www.ehow.com/how_6539666_create-self_signed-certificate-openssl.html
# ref: http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php

#configuration:
#/etc/ssl/openssl.cnf

mkdir ./sslCA
mkdir ./sslCA/newcerts
vi ./sslCA/index.txt

echo 1000 > serial
touch index.txt

#create CA keypair
openssl req -newkey rsa:4096 -x509 -days 3650 -extensions v3_ca -keyout sslCA/private/apogadoca_g2.key -out sslCA/private/apogadoca_g2.crt -config /etc/ssl/openssl.cnf -subj "/CN=Apogado Root G2 CA/O=Apogado/L=Sint-Niklaas/C=BE" -sha256


mkdir ./sslCA/private
openssl genrsa -aes128 -out ./sslCA/private/myserver.key 4096
#create certificate signing request
openssl req -new -key ./sslCA/private/myserver.key -out ./sslCA/private/cakey.csr
#sign the signing request
openssl x509 -req -days 999 -in ./sslCA/private/cakey.csr -signkey ./sslCA/private/myserver.key -out ./sslCA/private/cacert.pem

#sign an external cert request
openssl ca -notext -out sslCA/site.crt -in ./sslCA/site.csr -keyfile ./sslCA/private/myserver.key -cert ./sslCA/private/myserver.pem
openssl ca -in sslCA/clients/localhost2_client.csr -keyfile sslCA/private/apogadoca_g2.key -cert sslCA/private/apogadoca_g2.crt -verbose -extensions usr_ssl_client -out sslCA/clients/localhost2.crt  -policy policy_anything -days 999 -notext

[usr_ssl_server]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth


[ usr_ssl_client ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage=clientAuth


#create a new keypair and a selfsigned certificate
openssl req -x509 -newkey rsa:1024 -keyout ./testkey.pem -out ./testcert.pem -days 1800


#remove key password
openssl rsa -in server.key.secure -out server.key