http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html Good ref with basic OpenSSL commands: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs Default Java system keystore password is "changeit". It seems that keystores can only import DER encoded x509 certs. RFC 1421 = PEM = base64 encoding of DER. To make a self-signed cert for Apache. openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem The prompt after "Organizational Unit Name" is for the CN, which must be a URL prefix, like "admc.com". (At this point, can set SSLCertificateFile to the cert.pem and SSLCertificateKeyFile to key.pem and give the password at httpd startup-- but not restart!) openssl rsa -in key.pem -out unencrypted.pem (Can change SSLCertificateFile to unencrypted.pem and no password is required-- protect the unencrypted key file!). (Can also concatenate the unencrypted key + cert into a single file and use that as SSLCertificateFile; do not set SSLCertificateKeyFile). To list/display/print the contents of a cert/key/csr: openssl x509|rsa|dsa|req -in cert.pem -noout -text (If pkcs7 format, then openssl pkcs7 -print_certs -in *.txt -noout -text) Empirically, I find that Apache SSL server does not send the CA list to the clients unless SSLVerifyClient is set to 2. Doesn't make too much sense. I don't know if SSLVerifyDepth has to be set. Here is a set of Apache 1 SSL directives that do work: SSLVerifyClient 2 SSLVerifyDepth 1 SSLCACertificateFile /usr/local/apache/conf/testcakey.pem Here is what Apache recommends for Apache 2. SSLVerifyClient none # This only if you want "outside" area unprotected SSLCACertificateFile conf/ssl.crt/ca.crt # Or directory SSLVerifyClient require SSLVerifyDepth 1 Generate a self-signed root cert (I call the non-CA certs the "child" certs). export OPENSSL_CONF set to a modified copy of /usr/share/ssl/openssl.cnf, or just use the default. I recommend changing these settings. "dir" to "." so everything directly in your $PWD. Set all the client cert defaults under [ req_distinguised_name ] (These are default when making both ca and child stuff). nsComment comment out everything in the [ req_attributes ] section. uncomment the "nsCertType = client, email, objsign" line. mkdir private openssl req -days 3650 -x509 -newkey rsa:1024 -keyout private/cakey.pem -out cacert.pem openssl req -new -x509 -keyout root.key -out origroot.pem -days 3650 -nodes Key type comes from system default (now RSA) or -newkey spec Bit length comes from *.cnf file or from -newkey spec (PWD: capwd) pempp To use ca-signed client keys instead of self-signed client keys print 01 > serial > index.txt mkdir newcerts Generate request: Comment the "nsCertType = client, email, objsign" line and comment out the nsCertType you want (typically "client, email"). openssl req -newkey rsa:1024 -keyout client1_pvk.pem -out client1_req.pem I THINK *_req.pem BETTER NAMED *.csr Asked for PEM Pass Phrase. This is the new cert password. (Not CA pwd). Just ENTER for Challenge Password and 2nd Company Name (ppass) (PWD: clipwd) (Child certs' Country/State/Company must exactly match CA info, but Unit Name does not have to match) Sign the request openssl ca -in client1_req.pem -out client1.cert (also writes a copy of the signed cert in demoCA/newcerts by number) (asks for CA pwd) I don't know what format this client1.cert is in, but just run openssl x509 -in client1.cert -out client1_cert.pem -outform PEM to make a PEM out of it. To renew one of the client certs, do like: openssl x509 -req -days 365 -in mail.admc.com/mail.admc.com_req.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -out mail.admc.com/mail.admc.com.cert.2024 To import client cert & pvk into Netscape (can have password), openssl pkcs12 -export -in client1_cert.pem -inkey client1_pvk.pem \ -name "Name" -out client1.p12 (asks for client pvk pwd, then new p12 password. MUST specify a password for the p12 file :( ) (PWD: p12pwd) In Netscape: Cert management / Restore password: exppwd (You are asked for master NS password, then p12 file password) (PWD: exppwd for 6.2 & navpwd) To make a server private keystore from the child stuff see my hsqlSSL.html doc. (When entering the passwords for the Keystore when running DERImport, give the same password twice, once for the store and once for the record. To decrypt an rsa key. (For C, decrypt the pvks so the program doesn't have to deal with passwords. For Java I know of no way to decrypt.) openssl rsa -in key.pem -out keyout.pem NOTE: Most web browers support only RSA cipher suites TESTING openssl s_server -cert svr_cert.pem -key svr_pvk.pem -accept 443 \ -CAfile demoCA/cacert.pem [-www] -Verify 1 openssl s_client -connect host:443 -cert client1_cert.pem \ -key client1_pvk.pem -CAfile demoCA/cacert.pem -verify 1 openssl s_client -connect host:443... -prexit (The verify values are depths) Be careful. Damned s_* programs don't tell you if a file isn't found, it just continues as if you didn't specify one. W3C has a Browser that does uploads and has SOURCE: Amaya (Unfortunately, Amaya uses libwww, which is another entire level of poorly-documented complexity :( ) openssl verify -CAfile cacert.pem $cn/${cn}.cert || INDEPENDENT SERVER KEY Don't use CA key to run web site. Don't mix CA and server functionality. Just generate a server key exactly like the client1 key above (obviously skip the p12 stuff). (PWD: svrpwd) (Note that the Cpp files in this directory are taken out of the ssl demo directory of the Openssl source code). RUNNING SERVER To require client auth, need to code ((SSLServerSocket) l).setNeedClientAuth(true); Do NOT need to specify the trust keystore password. It can be used without the password. java -Djavax.net.ssl.trustStore=../axisca.keystore -Djavax.net.ssl.keyStorePassword=ikol -Djavax.net.ssl.keyStore=loki.keystore TLS2WayProxy -v mail 25 I don't know how to tell server to use a keystore with a list of client keys. Have to use a ca keystore and then look up the CN's in the code... I guess. The DN contains EMAILADDRESS=email@address and CN. I think, set CN to a unique identifier for this cert. like "kate1". And keep that in the runtime config file. Can regenerate compatible new CA certs as long as have original CA private key. https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal or very last section at https://www.golinuxcloud.com/renew-ssl-tls-server-certificate-openssl/#Scenario-3_Renew_server_certificate_without_revocation Main purpose would be to extend expiry. DOES NOT WORK TO CHANGE CA BIT SIZE. That derives from the private key size!