Making your own OpenSSL Certification Authority (CA)

James Young · April 15, 2013

If you want to make your own CA, usually for the purposes of signing certificates internally for testing and such, you can do that pretty easily with CentOS.  On a secure box somewhere, you’ll need to create a CA certificate.

Edit /etc/pki/tls/openssl.cnf and change the various entries to match the name etc for your organization, then do the following;

touch /etc/pki/CA/index.txt
echo '01' > /etc/pki/CA/serial
openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

The above will generate an OpenSSL local CA with an expiry date 10 years in the future.  Now, after doing that you’ll have to copy your new cacert.pem into your trusted store so your machine will automatically trust it.

cp /etc/pki/CA/cacert.pem /etc/pki/tls/cacert.pem
ln -s /etc/pki/tls/cacert.pem `openssl x509 -noout -hash -in /etc/pki/tls/cacert.pem`.0

The above will generate a symlink with the hash code of the certificate and place it in the right spot.  You should now distribute cacert.pem as appropriate to the places that should trust it.

Now, we’ll generate a simple certificate, sign it, and verify the signature;

openssl req -new -nodes -keyout server.example.com.key -out server.example.com.csr
openssl ca -policy policy_anything -out server.example.com.crt -infiles server.example.com.csr
openssl verify server.example.com.crt

You should see an ‘OK’.  If you don’t, go over everything again, in particular make sure that the symlink was created properly.

Twitter, Facebook