---Begin---

[ req ]
default_bits		= 1024			# Size of keys
default_keyfile		= key.pem		# name of generated keys
default_md		= md5			# message digest algorithm
string_mask		= nombstr		# permitted characters
distinguished_name	= req_distinguished_name

[ req_distinguished_name ]
# Variable name		  Prompt string
#----------------------	  ----------------------------------
0.organizationName	= Organization Name (company)
organizationalUnitName	= Organizational Unit Name (department, division)
emailAddress		= Email Address
emailAddress_max	= 40
localityName		= Locality Name (city, district)
stateOrProvinceName	= State or Province Name (full name)
countryName		= Country Name (2 letter code)
countryName_min		= 2
countryName_max		= 2
commonName		= Common Name (hostname, IP, or your name)
commonName_max		= 64

# Default values for the above, for consistency and less typing.
# Variable name			  Value
#------------------------------	  ------------------------------
0.organizationName_default	= The Sample Company
localityName_default		= Metropolis
stateOrProvinceName_default	= New York
countryName_default		= US

[ v3_ca ]
basicConstraints	= CA:TRUE
subjectKeyIdentifier	= hash
authorityKeyIdentifier	= keyid:always,issuer:always

----End----

4. 

Our overrides to the "openssl req" command are:

• Create a new self-signed certificate: -new -x509
• Create a CA certificate: -extensions v3_ca
• Make it valid for more than 30 days: -days 3650
• Write output to specific locations: -keyout, -out
• Use our configuration file: -config ./openssl.cnf

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem 
-out cacert.pem -days 3650 -config ./openssl.cnf

 openssl x509 -in cacert.pem -noout -text
# openssl x509 -in cacert.pem -noout -dates
# openssl x509 -in cacert.pem -noout -purpose
 
openssl rsa -in ... -out  can view key info
 
starting create certificate

5. 

[ v3_req ]
basicConstraints	= CA:FALSE
subjectKeyIdentifier	= hash

distinguished_name	= req_distinguished_name
req_extensions		= v3_req
 
6. 
openssl req -new -nodes -out req.pem -config ./openssl.cnf
 
 openssl req -in req.pem -text -verify -noout
 
7. 
[ ca ]
default_ca		= CA_default

[ CA_default ]
serial			= $dir/serial
database		= $dir/index.txt
new_certs_dir		= $dir/newcerts
certificate		= $dir/cacert.pem
private_key		= $dir/private/cakey.pem
default_days		= 365
default_md		= md5
preserve		= no
email_in_dn		= no
nameopt			= default_ca
certopt			= default_ca
policy			= policy_match

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

8. 
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
 
9. 
openssl x509 -in cert.pem -noout -text -purpose | more
 
10.
 The certificate has both the encoded version and a human-readable version in the same file. You can strip off the human-readable portion as follows:
# mv cert.pem tmp.pem
# openssl x509 -in tmp.pem -out cert.pem