===== What? =====
Creating a certificate authority. Nowadays, you already need it for testing an https webserver: create the CA, then a cert for the https service, and sign that cert. Import the CA cert into the browser, then access the https service.
==== CA generation with nss ====
This is the default on Fedora and RHEL, CentOS, ScientificLinux.
dnf -y install nss-tools
SERVICENAME="rhel7b.fluxcoil.net"
### create CA itself
cd /etc/pki/nssdb
mkdir CA_db
certutil -N -d CA_db
certutil -S -d CA_db -n "chorn test CA" \
-s "CN=test,O=MYORG,L=Tokyo,C=JA" -t "CT,," -x -2
# Be sure to answer "Is this a CA certificate [y/N]?" with "y"!
# export cacert to x509
certutil -L -d CA_db -n "chorn test CA" -a -o CA_db/rootca.crt
# show details
certutil -L -d ./CA_db
### create server/services db
mkdir /etc/pki/nssdb/server_db
certutil -N -d server_db
certutil -A -d server_db -n "chorn test CA" -t "TC,," -a -i CA_db/rootca.crt
### create a service cert, i.e. for https
certutil -R -d server_db \
-s "CN=$SERVICENAME,O=MYORG,L=Tokyo,C=JA" \
-a -o server_db/$SERVICENAME.req -v 12
certutil -C -d CA_db -c "chorn test CA" -a \
-i server_db/$SERVICENAME.req -o server_db/$SERVICENAME.crt -2 # -6
certutil -A -d server_db -n $SERVICENAME -a \
-i server_db/$SERVICENAME.crt -t ",,"
certutil -V -d server_db -u V -n $SERVICENAME
cd server_db/
openssl x509 -in $SERVICENAME.crt -noout -text
pk12util -d . -o $SERVICENAME.pk12 -n $SERVICENAME
openssl pkcs12 -clcerts -in $SERVICENAME.pk12 -out $SERVICENAME.pem
# create keyfile without passphrase
openssl rsa -in $SERVICENAME.pem \
-out ${SERVICENAME}_key_nopass.pem
==== example httpd config ====
[root@rhel7a server_db]# yum -y install mod_ssl
[..]
[root@rhel7a server_db]# grep nssdb /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net.pem
SSLCertificateKeyFile /etc/pki/nssdb/server_db/rhel7a.fluxcoil.net_key_nopass.pem
SSLCACertificateFile /etc/pki/nssdb/CA_db/rootca.crt
[root@rhel7a server_db]# systemctl start httpd