Skip to content

Certificate Authority

Create your own CA

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt -sha512

Create certificates

Create private keys

openssl genrsa -out example.com.key 4096

Minimal openssl.conf

[ ca ]
default_ca  = CA_default

[ CA_default ]
dir   = .    # Where everything is kept
certs   = $dir/certs    # Where the issued certs are kept
crl_dir   = $dir/crl    # Where the issued crl are kept
database  = $dir/index.txt  # database index file.
new_certs_dir = $dir/newcerts   # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial    = $dir/serial     # The current serial number
crlnumber = $dir/crlnumber  # the current crl number
          # must be commented out to leave a V1 CRL
crl   = $dir/crl.pem    # The current CRL
private_key = $dir/private/cakey.pem# The private key

name_opt  = ca_default    # Subject Name options
cert_opt  = ca_default    # Certificate field options

default_days  = 365     # how long to certify for
default_crl_days= 30      # how long before next CRL
default_md  = default   # use public key default MD
preserve  = no      # keep passed DN ordering

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

[ policy_anything ]
countryName   = optional
stateOrProvinceName = optional
localityName    = optional
organizationName  = optional
organizationalUnitName  = optional
commonName    = supplied
emailAddress    = optional

[ req_distinguished_name ]
countryName     = Country Name (2 letter code)
countryName_min     = 2
countryName_max     = 2

stateOrProvinceName   = State or Province Name (full name)
localityName      = Locality Name (eg, city)
organizationName    = Organization Name (eg, company)
organizationalUnitName    = Organizational Unit Name (eg, section)

commonName      = Common Name (e.g. server FQDN or YOUR name)
commonName_max      = 64

emailAddress      = Email Address
emailAddress_max    = 64


[req]
default_bits    = 4096
default_keyfile   = privkey.pem
distinguished_name  = req_distinguished_name
x509_extensions = v3_ca 
string_mask = utf8only
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com

Create certificates

openssl req -new -nodes -out example.com.csr -key example.com.key -config example.com.conf
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -days 365 -in example.com.csr -out example.com.crt -extfile example.com.conf

Import CA to clients

via trust command

trust anchor ca.crt
update-ca-trust

via file

cp ca.crt /etc/ca-certificates/trust-source/anchors
update-ca-trust