Creating a ssl certificate which can be used in servers is easy – except you do this with openssl. In this tutorial I use gnutls.
You even need nearly just one command:
certtool --generate-self-signed --outfile xy
WARNING: If you enter an entry and press enter and nothing happens this is ok. This entry is a list. You can insert a further entry now. To terminate let the line free and press enter.
1. Quick-guide for a very simple ssl Cert :
Use certtool –generate-self-signed –outfile xy and let everything free. The browser will complain about an invalid cert but this ok for the beginning.
2. More extensive guide with decoded options:
Use like last time certtool –generate-self-signed –outfile xy but answer the questions. The questions are hard to understand.
Here a nearly complete decoded list with recommendations for difficult options:
Enter the subject's domain component (DC): e.g marketing, (empty) E-mail: outdated, (empty) Enter the certificate's serial number in decimal, (empty) Does the certificate belong to an authority? Certificate Authority short (CA) is meant. If yes cou can sign other certificates Path length constraint: a value != 0 or empty limits how often this certificate could be used to sign new certificates (empty) Is this a TLS web client certificate? for authentification (no) Will the certificate be used for IPsec IKE operations? = used as key for ipsec (empty) Is this also a TLS web server certificate? (empty) Will the certificate be used to sign CRLs? CRLs=Certificate Revocation List (no) Will the certificate be used to sign code? automatic check of programs you offer under the cert (yes, why not) Will the certificate be used to sign OCSP requests? Online Certificate Status Protocol (empty) https://de.wikipedia.org/wiki/Online_Certificate_Status_Protocol Will the certificate be used for time stamping? are signed contents valid if they are signed to a valid time but the certificate ran out; (yes) ; InstantSSL: Timestamping ensures that code will not expire when certificate expires. Enter the URI of the CRL distribution point: revocation address is asked (URL to revocation list) (empty)
Caution: CA specific options aren’t included yet. I will improve this guide. And create a second part with a guide how to create and use a CA-cert.
Sorry, the documentation I found on the internet is not very good