X.509 Certificate Generation The WebID Protocol consumer needs an x509 certificate with v3 extension "Subject Alternate Name". This attribute is used for the owner's WebID. For testing purposes, we used the OpenSSL demo CA to generate such certificates. If you are not using the OpenSSL demo CA, you must first set up a self-signed CA; refer to the OpenSSL documentation for how to do this. Add the following line to the [usr_cert] section of the openssl.cnf file — subjectAltName=$ENV::ALTNAME Set the environment variable ALTNAME to the owner's WebID, e.g., export ALTNAME=URI:http://localhost/dataspace/person/myname#this Make a self-signed certificate, e.g., $ CA.pl -newreq (follow the dialog) $ CA.pl -sign When asked to commit the certificate, make sure you see several lines above, like — X509v3 Subject Alternative Name: URI:http://localhost/dataspace/person/myname#this If your browser wants a PKCS#12 bundle, you must make one — $ openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out mycert.p12 Rename newcert.pem and newkey.pem; for example, to mycert.pem and mykey.pem.