You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

4.6 KiB

title description date tags draft
Creating and Using a CA Certificate 2023-01-27

Even though there are plenty of options available for obtaining an SSL certificate, you may want to issue your certificates and check their validity using your own CA. This is useful for internal domains or doing mTLS for services in your networks.

Below is how to create a CA certificate and issue certs with it, and how to verify that a certificate was issued with the CA you generated.

All examples here use the OpenSSL command-line tool.

Creating the Certificate Authority Certificate and Keys

First generate the private key and Root CA certificate that we will use to issue certs.

  1. Generate a private key for the CA:
openssl genrsa 4096 > ca-key.pem
  1. Generate the X509 CA certificate. Note that if you exclude -subj you will get an interactive prompt instead:
openssl req -new -x509 -nodes -days 3650 -sha256 \
	-subj "/C=US/O=My Org, Inc./OU=R&D/CN=MyOrgCA" \
	-key ca-key.pem \
	-out ca-cert.pem

If you want to pass more options to -subj the following are the available attribute strings - from RFC4514 Page 6:

		String  X.500 AttributeType
		------  --------------------------------------------
		CN      commonName (
		L       localityName (
		ST      stateOrProvinceName (
		O       organizationName (
		OU      organizationalUnitName (
		C       countryName (
		STREET  streetAddress (
		DC      domainComponent (0.9.2342.19200300.100.1.25)
		UID     userId (0.9.2342.19200300.100.1.1)

At this point you can view the CA certificate in a pretty format:

$ openssl x509 -in -text -noout
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "My Org, Inc.", OU = R&D, CN = MyOrgCA
            Not Before: Jan 29 02:06:59 2023 GMT
            Not After : Jan 26 02:06:59 2033 GMT
        Subject: C = US, O = "My Org, Inc.", OU = R&D, CN = MyOrgCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Creating the Server's Certificate and Keys

Now that we have our Root CA certificate we can issue certs for our servers to use. To do this you must first generate a certificate request, and then sign it with your Root CA cert to generate the final certificate.

  1. Generate the private key and certificate request:
openssl req -newkey rsa:4096 -nodes -sha256 \
	-subj "/CN=mysite.myorg.internal" \
	-keyout server-key.pem \
	-out server-req.pem

If you want to add Subject Alternative Names (SANs) to make your cert valid for multiple DNS names, you can use the encantation below:

openssl req -newkey rsa:4096 -nodes -days 3650 -sha256 \
	-subj "/" \
	-reqexts SAN \
	-config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:site1.myorg.internal,DNS:site2.myorg.internal")) \
	-key server-key.pem \
	-out server-req.pem
  1. Generate the X509 certificate for the server:

When setting -days, the validity time can be no longer than 398 days (13 months) or you might see errors. This is for security reasons, read up on the history behind it here at global sign.

The flag -set_serial is like an ID number for each cert issued by your CA. It must be a positive integer and unique to each cert issued. Below I'm just using date +%s to get a unix timestamp for a simple serial number.

For further reading see RFC 5280.

openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
	-in server-req.pem \
	-out server-cert.pem \
	-CA ca-cert.pem \
	-CAkey ca-key.pem

# Or once again, if you need to specify SANs
openssl x509 -req -days 398 -set_serial $(date +%s) -sha256 \
	-extfile <(printf "subjectAltName=DNS:site1.myorg.internal,DNS:site2.myorg.internal") \
	-in server-req.pem \
	-out server-cert.pem \
	-CA ca-cert.pem \
	-CAkey ca-key.pem

Verifying the Certificate

  1. To verify the server certificate:
$ openssl verify -CAfile ca-cert.pem server-cert.pem