If your request is for a domain that ends in ".dev", it will be automatically signed and you will be able to download the certificate immediately. Otherwise, the request will require approval and you will receive an email with your signed certificate after it is complete.
(Make sure to include your email address when you generate the CSR, so that the system knows where to send your signed certificate!)
Generate a private key:
openssl genrsa -des3 -out server.pem 2048
Generate a certificate signing request (CSR)
openssl req -sha256 -out request.csr -key server.pem -new
Generate a CSR with a SAN (Required for newer browser)
domain=quill.dev && openssl req -new -sha256 -key server.pem \ -subj "/C=US/ST=Oregon/L=Portland/O=IndieWeb/CN=$domain" -reqexts SAN \ -config <(cat /usr/local/etc/openssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$domain")) -out $domain.csr
View a CSR's details
openssl req -text -noout -verify -in request.csr
View a certificate
openssl x509 -in example.dev.crt -text -noout
In order to avoid the SSL certificate warning from your browser when visiting a site that uses your new certificate, you'll need to add the IndieWebCamp certificate authority to your system.
Opening this file on OS X will prompt you to add it to your keychain. Once you do that, your browser should recognize any site signed by this root certificate.
By Aaron Parecki