We use cookies to ensure that we give you the best experience on our website.

How to create your own certificate authority with OpenSSL

When developing local web projects or even deploying local servers you might want to use your own CA to create and sign certificates and get valid secure connection in browser.

Generate private key and ROOT certificate

First create a directory which fill contain all the CA files.

mkdir ~/my_awesome_ca
cd ~/my_awesome_ca

Generate CA private key using SH265 cypher:

openssl genrsa -aes256 -out awesomeCA.key
Generating RSA private key, 2048 bit long modulus
..............+++
......................................+++
e is 65537 (0x10001)
Enter pass phrase for awesomeCA.key:
Verifying - Enter pass phrase for awesomeCA.key:

Generate Root CA certificate:

openssl req -x509 -new -key awesomeCA.key -sha256 -days 1825 -out awesomeCA.pem
openssl req -x509 -new -key awesomeCA.key -sha256 -days 1825 -out awesomeCA.pem
Enter pass phrase for awesomeCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SI
State or Province Name (full name) []:Slovenia
Locality Name (eg, city) [Default City]:Koper
Organization Name (eg, company) [Default Company Ltd]:Awesome Organization
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Awesome CA
Email Address []:

Creating CA-Signed Certificates

First we have to create a site private key. 

openssl genrsa -out awesome_site.key 2048

Then we generate a certificate request.

openssl req -new -key awesome_site.key -out awesome_site.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SI
State or Province Name (full name) []:Slovenia
Locality Name (eg, city) [Default City]:Koper
Organization Name (eg, company) [Default Company Ltd]:Awesome Organization
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:Awesome Site
Email Address []:email@awesome_site.local

Before creating the certificate itself we have to make another file where we define the Subject Alternative Name (SAN) for out host.

cat <<EOF> awesome_site.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = awesome_site.local
EOF

Now we run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file.

openssl x509 -req -in awesome_site.csr -CA awesomeCA.pem -CAkey awesomeCA.key -CAcreateserial -out awesome_site.crt -days 825 -sha256 -extfile awesome_site.ext

Related Posts

Trending now

RAspberry PI5 HomeAssistant WIFI Setup with CLI
Bash history command with date and time
How to create your own certificate authority with OpenSSL
Using HEREDOCS in Bash