Recipe 7.3 Generating a Trusted CA


You want to generate SSL keys that browsers will accept without a warning message.


Issue the following commands:

% -newca % -newreq % -signreq % -pkcs12


Recipe 7.2 discusses the lengthy steps that are required to create keys and sign them. Fortunately, OpenSSL comes with a script to automate much of this process, so that you don't have to remember all of those arguments. This script, called, is located where your SSL libraries are installed, for example, /usr/share/ssl/misc/

The lines in the Solution hide a certain amount of detail, as you will be asked a number of questions in the process of creating the key and the certificate. Note also that you will probably need to be in the directory where this script lives to get successful results from this recipe.

If you want to omit the passphrase on the certificate so that you don't have to provide the passphrase each time you start up the server, use -newreq-nodes rather than -newreq when generating the certificate request.

After running this sequence of commands, you can generate more certificates by repeating the -newreq and -signreq commands.

Having run these commands, you will have generated a number of files. The file newcert.pem is the file you specify in your SSLCertificateFile directive, the file newreq.pem is your SSLCertificateKeyFile, and the file demoCA/cacert.pem is the CA certificate file, which will need to be imported into your users' browsers (for some browsers) so that they can automatically trust certificates signed by this CA. And, finally, newcert.p12 serves the same purpose as demoCA/cacert.pem for certain other browsers.

Importing the CA

If your users are using Internet Explorer, you need to create a special file for them to import. Use the following command:

openssl X509 -demoCA/cacert.pem -out cacert.crt -outform DER

Then you can send them the cacert.crt file.

Clicking on that file will launch the SSL certificate wizard and guide the user through installing the CA certificate into their browser.

Other browsers, such as Mozilla, expect to directly import the cacert.pem file. Users will navigate through their menus (Edit xxxrarrxxx Preferences xxxrarrxxx Privacy and Security xxxrarrxxx Certificates), then click on Manage Certificates, then on the Authorities tab, and finally on Import, to select the certificate file.

After importing a CA certificate, all certificates signed by that CA should be usable in your browser without receiving any kind of warning.

See Also

  • The manpage for the script

  • documentation at

Apache Cookbook
Apache Cookbook: Solutions and Examples for Apache Administrators
ISBN: 0596529945
EAN: 2147483647
Year: 2006
Pages: 215

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: