If we do not want all browsers to worry users with a warning, but we know that our users will trust us enough to install a certificate, it is possible to become our own Certificate Authority (CA) using OpenSSL. This is only a little more work than using a self-signed certificate.
OpenSSL includes a demo-CA, but we need to set up a few things to use it. First, go into a clean directory (possibly create it before). Now, create a directory called "demoCA". Then, create a file with the name of "serial" with the string "01" (that is zero-one) in it, plus an empty file called index.txt
. The following commands will do this on the usual POSIX-compatible system:
> mkdir demoCA
> cd demoCA
> mkdir private newcerts
> touch index.txt
> echo 01
> serial
Now, set up a key for the CA, similar to the self-signed key described earlier, but with the CA-extensions. OpenSSL will prompt for a password to secure your CA; enter it twice. Then, it will ask the...