Hello folks.
I've created a brief synopsis of how to create ssl keys, create a certificate request key and self-sign the key so you can have high level ssl server options for apache. I hope you get something from them, and please reply with errors or additions you have, and I'd be glad to create a nice simple doc to spread around.
--- begin info ---
#
# Notes on getting an openssl setup for apache on an OpenBSD 3.5 box.
# Info originally learned in and adapted from the fine book:
# "Secure Architectures with OpenBSD"
# by Randon Palmer and Jose Nazario
# It's remarkable how easy it can be!
# Please read through once to understand the steps, then proceed.
#
#Good Luck!
#The following commands run by root: (readthrough once!)
#generate strong encryption private key
openssl genrsa -out /etc/ssl/private/server.key 2048
#If you put a passphrase on this, you must enter it each time the machine
#reboots or reads the key I believe. OpenBSD leaves /etc/ssl/private as 700
#so the files should be safe without password...
#Create certificate request key (can be then submitted to verisign, or self signed as shown next)
openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
#After running this command, you are prompted for information.
#Fill in information as verbosely as you see fit.
#A legit email address might be helpful!
#Explore verisign.com or similar for details on submitting your .csr file.
#***note*** -
http://www.cacert.org/ can be an interesting read for free certification.
#Read on for a self-signed key!
#To create a self-signed key for internal or small use:
openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
#Edit your /etc/rc.conf file to change:
httpd_flags="" # to
httpd_flags="-DSSL" # (as comment in file suggests)
#reboot
#enjoy
-- end --