Create private key & csr for usage on server:
openssl req -config req.conf -newkey rsa:4096 -keyout subdomain.example.com.pem -sha512 -out subdomain.example.com.csr
If you add the -nodes switch, no password will be used.
.csr File is the signing request, pem file is the key.
Using ssl announce for rtorrent:
1)Add the certificate
openssl s_client -connect myserver.com:443 </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' >> /etc/ssl/certs/ca-certificates.crt
2)Refresh the certificates
c_rehash
3)Test
curl -I --capath /etc/ssl/certs https://myserver.com:443
You may need the option:
http_capath=/etc/ssl/certs
in your .rtorrent.rc config file!
Different hints:
All certificates of a site can be shown with:
openssl s_client -connect server.com:443 -showcerts
Instead of c_rehash, one certificate can be hashed with:
ln -s certificate.pem `openssl x509 -hash -noout -in certificate.pem`.0
To determine, if a certificate will be accepted, use openssl verify:
openssl verify -CApath /etc/ssl/certs -verbose certificate.pem
When openssl is compiled from source, no root certificates are included!
You can get root certificates here: http://curl.haxx.se/docs/caextract.html
These have to be placed in f.e. /etc/ssl/certs/ca-certs.crt (or .pem - i think the extension is the same) and may have to be hashed...
That way officially signed sites will work.
Usually a signed site uses a chain of certificates, so all sites above the site certificate in the chain have to be obtained and hashed. The s_client -showcerts option of openssl is helpful to display each certificate of the chain.
Self signed certificates have to be added and hashed also, if you want them to be accepted.
Create self signed certificate:
openssl req -new -x509 -keyout newone.key -out newone.pem -days 365 -nodes