CSR

This is the final part and is useful if you want to create a certificate request (CSR) to be signed by a commercial CA (or your own recently created CA!).

As usual create a request. In this case the Common Name (or CN) attribute should reflect the hostname of the URL you want to use the certificate for. If it does not match then your users will get a warning about the site name not matching the certificate.

Note also the restriction on web server imposed by the SSL protocol that each (virtual) web site using an SSL certificate must have its own unique IP address.

Using the following configuration information:

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = GB
ST = Buckinghamshire
L = Newport Pagnell
O = Example Limited
CN = www.example.com
emailAddress = webmaster@example.com

Create the request in the usual way:

openssl genrsa -out ssl-certificate.key
openssl req -new -sha256 -key ssl-certificate.key -out ssl-certificate.req -config ssl-certificate.cfg

Signing

At this point you could send your request (CSR) off to a commercial CA to be signed or you could sign it with your own SSL Server CA (or even the original CA as it's all purpose):

openssl x509 -req -sha256 -in ssl-certificate.req -out ssl-certificate.crt -CA ssl-server-ca.crt -CAkey ssl-server-ca.key -CAserial ssl-server-ca.srl

Note that we don't need to add any extensions (and don't forget to create the SSL Server CA's serial file).

Checking

Looking at the certificate reveals the following:

openssl x509 -noout -in ssl-certificate.crt -text -purpose

Note that the Issuer is the SSL Server CA and that the certificate's purpose is limited to just that of an SSL Server or SSL Client (amongst others) ie. it cannot be used as a CA.

Were you to create another SSL Server Certificate using the SSL Server CA the serial number should increment to 1 (one).

SHA256

Again, check your certificate reports:

Signature Algorithm: sha256WithRSAEncryption