В один прекрасный день понадобилось создать подписанные SSL сертификаты для жаббер сервера и веб сервера. Ну чтож. Приступим.
1. Сгенерим приватные ключи:
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………….++++++
………………………..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying — Enter pass phrase for server.key:
$

2. Сгенерим сертификат:
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
——
Country Name (2 letter code) [AU]:RU
State or Province Name (full name) [Some-State]:None
Locality Name (eg, city) []:Ufa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Home
Organizational Unit Name (eg, section) []:Home
Common Name (eg, YOUR name) []:BV
Email Address []:agr1a@gmail.ru

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
3. Удаляем пароль из ключа:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
$ ll
total 12
drwxr-xr-x 2 vadim wheel — 512 Nov 22 11:08 ./
drwxr-xr-x 103 vadim wheel — 3072 Nov 22 10:47 ../
-rw-r—r— 1 vadim wheel — 664 Nov 22 11:06 server.csr
-rw-r—r— 1 vadim wheel — 887 Nov 22 11:08 server.key
-rw-r—r— 1 vadim wheel — 963 Nov 22 11:08 server.key.org
$
4. Генерим подписанный сертификат со сроком действия на 365 дней:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=RU/ST=None/L=Ufa/O=Home/OU=Home/CN=BV/emailAddress=agr1a@gmail.ru
Getting Private key
$
6. Для жаббер сервера Prosody копируем ключи:
cp server.key /usr/local/etc/prosody/cert
cp server.crt /usr/local/etc/prosody/cert
и подправляем конфиг просоди для включения шифрования.
7. Для апача аналогичные действия. Описывать пока не буду. Ибо просто не хочу. И так всё ясно.