Be Your Own Certificate Authority


Apparently I work in network security. This means it’s high time I figure out all this certificate malarky. I’ve maintained SSL-protected web sites before and, thus, had some contact with the openssl command. However, all these .key, .pem and .csr files have confused me. So, I thought I’d sit down and document all the bits and pieces required to stand up your own root certificate authority (CA) certificate and document what all the commands mean along the way.

These steps assume that you have a secured CA computer A as well as one or more web servers, B etc.


Root CA

The root CA key and certificate constitute the root of your trust hierarchy. You will only generate these materials once. From these materials, you can then generate an arbitrary number of derived certificates for individual web sites.

Root CA private key

You must provide a secure, secret passphrase for this private key. Run the following command on A:

openssl genrsa -des3 -out rootca.key 2048


Root CA certificate

Run the following command on A:

openssl req \
    -x509 \
    -new \
    -nodes \
    -key rootca.key \
    -sha256 \
    -days 1825 \
    -subj "/C=US/ST=Washington/L=Bothell/O=Richard Cook CA/" \
    -out rootca.pem



These steps generate a certificate that allows one or more derived, or subsidiary, web servers to securely identify themselves to clients by deriving trust from the root CA we set up previously. The following steps will refer to a given web server as B.

Server private key

Run the following command on B:

openssl genrsa -out myserver.key 2048


Server certificate-signing request (CSR)

Run the following command on B:

openssl req \
    -new \
    -key myserver.key \
    -subj "/C=US/ST=Washington/L=Bothell/O=myserverdns Services/CN=myserverdns/" \
    -out myserver.csr


Signing configuration file

Run the following command on A:

cat << EOF > myserver.cnf
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

DNS.1 = myserverdns


Server certificate

Run the following command on A:

openssl x509 \
    -req \
    -in myserver.csr \
    -CA rootca.pem \
    -CAkey rootca.key \
    -CAcreateserial \
    -out myserver.crt \
    -days 1825 \
    -sha256 \
    -extfile myserver.cnf


Install root CA certificate in Chrome



Content © 2024 Richard Cook. All rights reserved.