How to make a Self-Signed Certificate, for use with Apache SSL
==============================================================

These instructions come from S. Mukund <mukund@tessna.com>, over IRC,
resummarized by Ben Collins-Sussman.

They should prove useful to anyone who wants to set up a public apache
svn server with SSL.  You can pass out your *own* homemade CA cert to
svn clients, so they explicitly know they can trust your server's cert.


I. Create a Certifying Authority (CA) keypair (ca.crt / ca.key)

   Create CA certificate:

      a. generate key  (makes 1024 bit RSA key in ca.key)

           openssl genrsa -out ca.key 1024

      b. create CA cert, valid for the next 365 days (ca.crt)

           openssl req -new -key ca.key -x509 -days 365 -out ca.crt

         [answer questions]
           Country Name:  US
           etc...
           Organization:  CollabNet
           Organization Unit:  [leave blank]
           Common Name:  CollabNet Subversion CA
           Email: ...


II. Create CA-Signed Server Cert  (server.crt / server.key)

    "Basically a CSR is a request document created by the person who
     created the server key, to the certificate authority asking the
     certificate authority to sign the key, hence proving its
     authenticity.  When the certificate authority signs the
     CSR, it becomes the server's certificate."

      a.  generate key for the server itself

            openssl genrsa -out server.key
 
      b. create CSR for server.key

            openssl req -new -key server.key -out server.csr

         [answer questions...]
           Common Name:  svn.ch.collab.net   <-- use FQDN of server!

      c. have the CA sign the CSR
 
            openssl x509 -req -days 365 -in server.csr -CA ca.crt \
                    -CAkey ca.key -CAcreateserial -out server.crt
        

III. Configure apache and svn clients

     Use the four files (server.[crt|key], ca.[crt|key]) in apache
     configuration. 

     * ca.key is private;  the other three files are needed by apache.

     * have svn clients download ca.crt as a 'trusted CA authority',
       and install into the subversion client.

         Specifically, neon wants a .pem format version of ca.crt.
         Create it like this:

              openssl x509 -in ca.crt -out ca.pem -outform PEM

         And have svn clients set "ssl-authorities-file = ca.pem"

     * multiple ca.pem files can be concatenated together, and svn
       clients can point to the concentated file.