How to create your own SSL CA?
Let’s start by generating the directory structure that the SSL package needs:
mkdir /usr/local/ssl/ca cd /usr/local/ssl/ca mkdir certs mkdir private chmod 700 private echo "01" > serial touch index.txt
Now generate the the private and public keys for your CA. The private key is needed for signing the certificate requests while public key should be made available for anyone who wishes to check if the certificates provided to the clients are really signed by you or not:
openssl req -x509 -newkey rsa -out cacert.pem -keyout private/cakey.pem -outform PEM -days 3650 -config openssl.conf
The generated cacert.pem can be made publicly available, but the private/cakey.pem should be kept in deep secrecy.
Now you are ready to make the first certificate request:
openssl req -new -out file.csr -keyout file.pem -config openssl.cnf
- The file.csr contains the certificate request itself.
- The file.pem holds the encrypted private key.
Some software packages need the generated private key do be kept unencrypted. For that use the command:
openssl rsa -in file.pem -out file.key
- file.pem was the file produced by the previous command and was the -keyout argument.
- file.key contains now the unencrypted private key. Since there is no encryption, be sure to keep it in a safe place, i.e. not in the server’s /tmp directory.
The last step is to sign your certificate request with your CA-s private key so it could be used by the software:
openssl ca -in file.csr -out file.crt -config openssl.cnf
- file.crt is now the signed certificate for the request that was in a file file.csr.