www.openssl.org to create CA root certificate & corresponding client certificate

(1) Tools to create CA root certificate and a client certificate signed by that CA root, and package it as a pkcs12 file

• Download source: http://www.openssl.org/source/ - following info verified against version 0.9.7d
• Documentation of "CA.pl": http://www.openssl.org/docs/apps/CA.pl.html

Before creating CA certificates and signed client certificates:

• You may edit "openssl-0.9.7d/apps/CA.pl" perl script to configure parameters for CA root certificate creation (eg. expire date, $DAYS="-days 365" to some more days)
• You may edit "/usr/ssl/openssl.cnf" to configure parameters for client certificate creation (eg. expiry date, CA certificate directory)

(2) Example
(2.1) To create CA root for hugh (CN=root.hugh):
$ cd openssl-0.9.7d/apps
$ mv ./demoCA ./demoCA.old
$ ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
................................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [[AU]]:CA
State or Province Name (full name) [[SomeState]]:BC
Locality Name (eg, city) []:
Organization Name (eg, company) [[InternetWidgitsPtyLtd]]:root.hugh
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:root.hugh
Email Address []:

(2.2) To create ssl certificate to be signed by above CA root for hugh (CN=hugh):
$ ./CA.pl -newreq

Generating a 1024 bit RSA private key
.........++++++
............................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [[AU]]:CA
State or Province Name (full name) [[SomeState]]:BC
Locality Name (eg, city) []:
Organization Name (eg, company) [[InternetWidgitsPtyLtd]]:hugh
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:hugh
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

(2.3) To sign the above ssl certificate:
$ ./CA.pl -signreq

Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 13 20:09:36 2004 GMT
Not After : Aug 11 20:09:36 2014 GMT
Subject:
countryName = CA
stateOrProvinceName = BC
organizationName = hugh
commonName = hugh
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C1:3B:41:29:51:E5:34:B1:E8:AB:4B:F0:1D:6C:6A:19:6E:1B:5D:17
X509v3 Authority Key Identifier:
keyid:D9:25:A7:FD:27:AC:D0:96:D2:0E:61:F5:5A:9B:D0:2F:94:8E:E6:23
DirName:/C=CA/ST=BC/O=root.hugh/CN=root.hugh
serial:00
Certificate is to be certified until Aug 11 20:09:36 2014 GMT (3650 days)
Sign the certificate? [[y/n]]:y

1 out of 1 certificate requests certified, commit? [[y/n]]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

(2.4) To package user certificate, private key and CA certificate:
$ ./CA.pl -pkcs12 "Hugh SSL Certificate"

Enter pass phrase for newreq.pem:
Enter Export Password:
Verifying - Enter Export Password:

Now, you have
cacert.pem (found in app/demoCA/)
newcert.p12 (found in app/)
newcert.pem (found in app/)