Creating a Self-signed SSL Certificate

How to create a self-signed SSL certificate to use with Axigen


Using interactive OpenSSL config

Generate an OpenSSL key:

openssl genrsa -out axigen_cert.key 1024

Generate the self-signed certificate, using the key:

openssl req -new -x509 -key axigen_cert.key -out axigen_cert.crt

The default validity for a certificate is 30 days. If you want to increase that validity to say 1 year (365 days), you may want to add the -days 365 parameter to the command above:

openssl req -new -x509 -days 365 -key axigen_cert.key -out axigen_cert.crt

Combine the key and certificate into a PEM file:

cat axigen_cert.key axigen_cert.crt > axigen_cert.pem

Using the OpenSSL config file:

Create an OpenSSL config file named axigen_ssl.cnf, with the following contents:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
O=AXIGEN Mail Server
OU=Automatically-generated SSL key

[ cert_type ]
nsCertType = server

Create the auto-signed certificate:

openssl req -new -x509 -days 365 -nodes -config axigen_ssl.cnf \
-out /var/opt/axigen/axigen_cert.pem -keyout /var/opt/axigen/axigen_cert.pem

Using Axigen's initscript:

On all supported operating systems, Axigen's initscript will automatically create a self-signed certificate at the first run and save it in the data directory with a name of axigen_cert.pem. If you want to regenerate the certificate, you may run once more the initscript with the init parameter. For example, in RedHat, you can regenerate the certificate with:

/etc/init.d/axigen init

The init parameter will also try to create the default domain database, which will almost sure fail on most systems (it will be already created).

In order to view the certificate information:

openssl x509 -text -noout -in /var/opt/axigen/axigen_cert.pem

In order to view the expiration date for the specified certificate, use the -enddate parameter:

openssl x509 -enddate -noout -in /var/opt/axigen/axigen_cert.pemThe command above should output something like:
notAfter=May  1 15:16:16 2008 GMT

OS: LinuxWindows