A Certificate Authority with OpenSSL

by luca
0 comment

The security of several protocols is implemented using SSL certificates. Usually, those certificates are created by public certificate authorities. If we’re connecting to a website (HTTPS protocol), the browser we’re using must recognize the identity of the CA that signed the server certificate, otherwise an error message is shown:


A CA “creates” a new certificate signing it with its own certificate… you can find more than one level, for example the Google certificate (in blu) has been signed by an intermediate CA (green), whose certificate is signed by a root CA (red):


To consider the certificate valid, the browser or the operating system must have the certificates of the CAs that signed it in their trusted repository:


Today I’ll explain you how to create a CA using an opensource tool, OpenSSL. This CA will be very useful everytime you’ll need an SSL certificate for internal use.

After having installed the OpenSSL tool, create a new folder dedicated to the CA (in my example, MyCA).

Within the new folder, create some empty folders and files:


Open the “serial” file and type the value 1000 (this will be the serial number of our first certificate).

Now download from my Github repository the openssl.cnf file and copy it in the MyCA folder. This file contains the whole configuration of the Certificate Authority.

Open the file and change the dir parameter with the path of your CA’s main folder:


Now generate the private key of your CA. All the following commands must be issued in the MyCA folder:

openssl genrsa -aes256 -out private/ca.key.pem 4096

You’ll be prompted for a password; it’s very important to note it down because you’ll need it everytime you’ll use the CA.

Now generate the self-signed certificate for the CA:

openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 3650 
 -sha256 -extensions v3_ca -out certs/ca.cert.pem

OpenSSL will ask some information; the most important of which is the Common Name, that is the name which identifies your CA:


Let’s now generate client or server certificates using your new CA.

Generating a new certificate starts from a private key, that will be safely stored on the system which will use the certificate (for example on the webserver that will publish the site in HTTPS). Then you have to generate a CSR (certificate signing request) from the key. The CSR is the file that will be signed by the CA to produce the final certificate.

As CA administrator, you can receive the CSR file from the end user; alternatively you can generate it using OpenSSL:

1. generate the private key (RSA algorithm) for your new certificate:

openssl.exe genrsa -out server.key

2. generate the CSR file:

openssl.exe req -new -config openssl.cnf -key server.key -out server.csr

Again you are prompted for some information, including the name (common name) of your server.

Now generate the certificate signing the request:

openssl.exe ca -config openssl.cnf -extensions server_cert 
 -notext -in server.csr -out server.cer

Confirm with two Y (yes) and your new certificate is ready:


Related Posts

Leave a Comment

13 + 3 =