How to create your own SSL CA?

How to create your own SSL certificate authority in order to roll out custom certificates for your services.

Let's start by generating the directory structure that the SSL package needs:

mkdir /usr/local/ssl/ca
cd /usr/local/ssl/ca
mkdir certs
mkdir private
chmod 700 private
echo "01" > serial
touch index.txt

Now generate the the private and public keys for your CA. The private key is needed for signing the certificate requests while public key should be made available for anyone who wishes to check if the certificates provided to the clients are really signed by you or not:

openssl req -x509 -newkey rsa -out cacert.pem -keyout private/cakey.pem -outform PEM -days 3650 -config openssl.conf

The generated cacert.pem can be made publicly available, but the private/cakey.pem should be kept in deep secrecy.

Now you are ready to make the first certificate request:

openssl req -new -out file.csr -keyout file.pem -config openssl.cnf

Some software packages need the generated private key do be kept unencrypted. For that use the command:

openssl rsa -in file.pem -out file.key

The last step is to sign your certificate request with your CA-s private key so it could be used by the software:

openssl ca -in file.csr -out file.crt -config openssl.cnf
  • Christopher

    This was very useful information! ty