For testing purposes, you can use a self-signed server certificate authority (CA) rather than a third-party CA. The steps to create a self-signed server CA for Apache are very similar to the steps to create a CA for client certificates described in Creating a Certificate Authority for Client Certificates.
Use the following command to create a server CA. Set the subject to the DNS name of the server.
$ pktool gencert label=apacheCA subject="CN=apachetest" \ serial=0x01
Use the following command to create a CSR for a server CA. If the server is accessible under several names or you want to make it available under its IP address directly, use the subjectAltName directive as described in Subject Alternative Name in the OpenSSL documentation.
$ pktool gencsr label=apache subject="CN=pkg-sec.internal.example.com" \ altname="IP=192.0.2.0,DNS=pkg-sec.internal.example.com" \ format=pem outcsr=apache.csr
Use the following command to sign the CSR. Use server.crt for SSLCertificateFile.
$ pktool signcsr signkey=apacheCA csr=apache.csr serial=0x02 \ outcert=server.crt issuer="CN=apachetest"
Use the following command to extract the key. Use server.key for SSLCertificateKeyFile.
$ pktool export objtype=key label=apache outformat=pem \ outfile=server.key
To ensure that your client will accept this server key, add the CA certificate (apacheCA) to the accepted CA directory on the client and restart the ca-certificates service to create the required links for OpenSSL.
Use the following command to extract the CA certificate:
$ pktool export label=apacheCA objtype=cert outformat=pem \ outfile=test_server_ca.pem
Copy the CA certificate to the CA certificate directory on the client:
$ cp /path-to/test_server_ca.pem /etc/certs/CA/
Refresh the CA certificates service:
$ svcadm refresh ca-certificates
Before you proceed, ensure that your new CA cert has been linked. After refreshing, the ca-certificate service rebuilds the links in the /etc/openssl/certs directory. Run the following command to check whether your new CA cert has been linked:
$ ls -l /etc/openssl/certs | grep test_server_ca.pem lrwxrwxrwx 1 root root 40 May 1 09:51 e89d96e0.0 -> ../../certs/CA/test_server_ca.pem
The hash value, e89d96e0.0, might be different for you since it is based on the subject of your certificate.