***** Create a self signed cert ************
-1) openssl genrsa 512 > client-key.pem
+1) openssl genrsa 1024 > client-key.pem
-2) openssl req -new -x509 -nodes -md5 -days 1000 -key client-key.pem > client-cert.pem
+2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem
-3) note sha1 would be -sha1
+3) note md5 would be -md5
-- adding metadata to beginning
***** Create a cert signed by CA **************
-1) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem
+1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
* note if using exisitng key do: -new -key keyName
2) copy ca-key.pem ca-cert.srl (why ????)
-3) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
+3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
+***** Adding Subject Key ID and Authentication Key ID extensions to a cert *****
+
+Create a config file for OpenSSL with the example contents:
+
+ [skidakid]
+ subjectKeyIdentifier=hash
+ authorityKeyIdentifier=keyid
+
+Add to the openssl command for creating a cert signed by a CA step 3 the
+following options:
+
+ -extfile <file.cnf> -extensions skidakid
+
+anywhere before the redirect. This will add the cert's public key hash as the
+Subject Key Identifier, and the signer's SKID as the Authentication Key ID.
+
***** To create a dsa cert ********************