Skip to content

Issue Certs, Be a Certificate Authority

Become Your Own Certificate Authority (CA)

A modern version of OpenSSL is required for this tutorial, so please make sure you install that first.

Step 1: Create an Encrypted Password File for Better Security

  • Edit a file yourpass and place your desired password in clear-text inside it.
  • Encrypt your password using openssl: 
    1
    openssl enc -aes256 -pbkdf2 -salt -in yourpass -out yourpass.enc
  • Delete your clear-text file 
    1
    rm yourpass

Step 2: Generate Private Key for Certificate Authority (CA)

Warning

This should definitely be protected and kept private if you plan on deploying this in the wild somewhere.

  • Generate your private key utilizing the encryption standard of choice
    • AES is generally considered more secure than 3DES 
      1
2
3
      openssl genrsa -aes256 -passout file:yourpass.enc -out ca.key 4096
# Or the less secure des3
openssl genrsa -des3 -passout file:yourpass.enc -out ca.key 4096
  • Verify your private key 
    1
    openssl rsa -noout -text -in ca.key -passin file:yourpass.enc

Step 3: Create Certificate Authority (CA) Certificate

  • Run the following command and answer the questions. 
    1
    openssl req -new -x509 -days 3650 -key ca.key -out ca.cert.pem -passin file:yourpass.enc
  • This is NOT your App/Server/Webserver certificate, this is your Authority’s Certificate, so answer as an authority.
    My Example Answers
    1
2
3
4
5
6
7
    Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Eureka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:College of the Redwoods
Organizational Unit Name (eg, section) []:Computer Information Systems
Common Name (e.g. server FQDN or YOUR name) []:Trevor Hartman
Email Address []:trevor-hartman@redwoods.edu
  • Verify your created CA certificate 
    1
    openssl x509 -noout -text -in ca.cert.pem

Step 4: Generate an App/Server Key and Certificate Signing Requests (CSR)

  • Create your App/Server/Webserver private key
    • NOTE: Here I created a new servpass.enc encrypted pass-file (i.e. a different encryptiong password) because the server key is usually for a different person and you don’t want it to be the same as your CA password. 
      1
2
3
      openssl genrsa -aes256 -passout file:servpass.enc -out server.key 4096
# OR
openssl genrsa -des3 -passout file:servpass.enc -out server.key 4096
  • Verify your App/Server key 
    1
    openssl rsa -noout -text -in server.key -passin file:servpass.enc
  • Create your certificate signing request (CSR)
    • You sign the CSR with your server.key to prove your ownership of the key and request.
    • When answering the Common Name (CN) question, put your FQDN or IP that will match your DNS entries. 
      1
      openssl req -new -key server.key -out server.csr -passin file:servpass.enc
      Example Answers to CSR
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Eureka
Organization Name (eg, company) [Internet Widgits Pty Ltd]:College of the Redwoods
Organizational Unit Name (eg, section) []:Computer Information Systems
Common Name (e.g. server FQDN or YOUR name) []:192.168.20.10
Email Address []:trevor-hartman@redwoods.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • Verify your certificate signing request (CSR) 
    1
    openssl req -noout -text -in server.csr

Step 5: Use Your CA to Sign your CSR

  • Issue server.crt by signing server.csr with your root certificate ca.cert.pem and ca.key
    • -CAcreateserial sets a serial number for this certificate if we wish to keep track of issued certificates in a database. 
      1
      openssl x509 -req -days 3650 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:yourpass.enc
  • Verify your signed server certificate 
    1
    openssl x509 -noout -text -in server.crt

Step 6: Trust your CA!!!

  • Since this is a self-genterated Certificate Authority and therefore technically a self-signed server.crt by that self-signed-CA, you will need to download and trust your CA certificate in any device you wish to use the server.crt with to avoid SSL Certificate Errors.