Amazon Linux has the structure installed by default
Create the serial database and index file
cd /etc/pki/CA
echo '100001' >serial
touch index.txt
The openssl.cnf file is located at /etc/pki/tls
It can left as default, it is 2048 bit encryption
Create the private key and root certificate
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 9999 -config /etc/pki/tls/openssl.cnf
This will create a root cert with expiration in 2039
Generate a password
Use the following for information
Country Name - 2 Letter Abbreviation = US
State or Province Name - Full Name of State = Nebraska
City or Locality - Full City Name = Omaha
Organization Name - Company Name = Acme Inc
Organizational Unit - IT
Common Name - Name of the Authority = Company Name Certificate Authority
Email Address
Create a CSR using the Information from the Root Certificate
To generate a certificate
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -days 9999 -infiles /etc/pki/CA/newcerts/CSRfile
The cert will be displayed on screen
Note
IIS7 will generate a self signed cert in a couple of clicks, but the certs are only valid for 1 year. Expired certs have caused problems with load balancers in the past
Helpful outside link
http://www.flatmtn.com/article/setting-openssl-create-certificates
