Need a server cert that has no password. Commands are:
(1) change directory into the grid-security directory: cd /etc/grid-security
(2) Generate the server key (with password): openssl genrsa -des3 -out server.key 1024
(3) Generate certificate *without a password*: openssl rsa -in server.key -out server.pem
(4) Create CSR (Certificate Signing Request) to affirm that the server key is valid. The server.pem is used in place of server.key as we don’t require a password:
openssl req -new -key server.pem -out server.csr
The information you are about to be asked to enter information will be incorporated into your certificate request as the Distinguished Name or a DN of the signed cert. [ If you enter ‘.’, the field will be left blank ]
(5) to self-sign the cert: In this example a time limit of 3 years, or 1095 days is set for the amount of time to be valid. Again, we use the server.pem file without a password.
# openssl x509 -req -days 1095 -in server.csr -signkey server.pem -out server.crt
TO CREATE AND USE YOUR OWN CA:
The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this:
Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command
$ openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this private key via:
$ openssl rsa -in ca.key -out ca.key.unsecure
Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You can see the details of this Certificate via the command:
$ openssl x509 -noout -text -in ca.crt
Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):
$ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
other good stuff here: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29
