Creating and Using a CA Certificate


Even though there are plenty of options available for obtaining an SSL certificate, you may want to issue your certificates and check their validity using your own CA. This is useful for internal domains or doing mTLS for services in your networks.

Below is how to create a CA certificate and issue certs with it, and how to verify that a certificate was issued with the CA you generated.

All examples here use the OpenSSL command-line tool.

Creating the Certificate Authority Certificate and Keys

First generate the private key and Root CA certificate that we will use to issue certs.

  1. Generate a private key for the CA:
openssl genrsa 4096 > ca-key.pem
  1. Generate the X509 CA certificate. Note that if you exclude -subj you will get an interactive prompt instead:
openssl req -new -x509 -nodes -days 3650 -sha256 \
	-subj "/C=US/O=My Org, Inc./OU=R&D/CN=MyOrgCA" \
	-key ca-key.pem \
	-out ca-cert.pem

If you want to pass more options to -subj the following are the available attribute strings - from RFC4514 Page 6:

		String  X.500 AttributeType
		------  --------------------------------------------
		CN      commonName (
		L       localityName (
		ST      stateOrProvinceName (
		O       organizationName (
		OU      organizationalUnitName (
		C       countryName (
		STREET  streetAddress (
		DC      domainComponent (0.9.2342.19200300.100.1.25)
		UID     userId (0.9.2342.19200300.100.1.1)

At this point you can view the CA certificate in a pretty format:

$ openssl x509 -in -text -noout
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "My Org, Inc.", OU = R&D, CN = MyOrgCA
            Not Before: Jan 29 02:06:59 2023 GMT
            Not After : Jan 26 02:06:59 2033 GMT
        Subject: C = US, O = "My Org, Inc.", OU = R&D, CN = MyOrgCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Creating the Server’s Certificate and Keys

Now that we have our Root CA certificate we can issue certs for our servers to use. To do this you must first generate a certificate request, and then sign it with your Root CA cert to generate the final certificate.

  1. Generate the private key and certificate request:
openssl req -newkey rsa:4096 -nodes -sha256 \
	-subj "/CN=mysite.myorg.internal" \
	-keyout server-key.pem \
	-out server-req.pem

If you want to add Subject Alternative Names (SANs) to make your cert valid for multiple DNS names, you can use the encantation below:

openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
	-subj "/" \
	-reqexts SAN \
	-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:site1.myorg.internal,DNS:site2.myorg.internal")) \
	-key server-key.pem \
	-out server-req.pem
  1. Generate the X509 certificate for the server:

When setting -days, the validity time can be no longer than 398 days (13 months) or you might see errors. This is for security reasons, read up on the history behind it here at global sign.

The flag -set_serial is like an ID number for each cert issued by your CA. It must be a positive integer and unique to each cert issued. Below I’m just using date +%s to get a unix timestamp for a simple serial number.

For further reading see RFC 5280.

openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
	-in server-req.pem \
	-out server-cert.pem \
	-CA ca-cert.pem \
	-CAkey ca-key.pem

# Or once again, if you need to specify SANs
openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
	-extfile <(printf "subjectAltName=DNS:site1.myorg.internal,DNS:site2.myorg.internal") \
	-in server-req.pem \
	-out server-cert.pem \
	-CA ca-cert.pem \
	-CAkey ca-key.pem

Verifying the Certificate

  1. To verify the server certificate:
$ openssl verify -CAfile ca-cert.pem server-cert.pem

Articles from blogs I follow

My plans at FOSDEM: SourceHut, Hare, and Helios

FOSDEM is right around the corner, and finally in person after long years of dealing with COVID. I’ll be there again this year, and I’m looking forward to it! I have four slots on the schedule (wow! Thanks for arranging these, FOSDEM team) and I’ll be talkin…

via Drew DeVault's blog January 24, 2023

YSK: Google allows spoofing news headlines in search results

A minor scandal unfolding in the Swedish election highlights a way to influence news narratives: Google allows you to set headlines for news articles in search results by paying for adwords placements of legitimate articles. This is being used by political …

via Jacob Davis-Hansson September 9, 2022

Going multipath without Multipath TCP

Going multipath without Multipath TCP Gigabit ethernet has been around for a long time, it’s so ubiquitous that there is a very strong chance that if you have a RJ-45 port on your compu

via benjojo blog February 24, 2022

Generated by openring