Your source for tech tips
Tip: Setup your own Certificate Authority (CA)
Posted By: apeiro
A quick rundown on how you can create a basic CA to self-sign your own certificates.
There are a few different ways to do this, but one of the easier ways is to use the
CA.pl script that's typically bundled with openssl.
Its location will vary depending on what distribution you run. Use
locate or check the common places, such as
Once found, use it like so.
Generate CA Certificate
This is the master certificate/key. The CA key is used to sign CSRs to create new certificates, and the CA cert can be distributed with these new certificates so their authenticity can be verified.
First change to a new directory where your CA files can live. Then generate the CA key and cert:
Generate a Certificate Signing Request (CSR)
In the same directory you started in, generate the CSR:
Fill out all the questions and you'll end up with a
newreq.pem file containing a key and a CSR.
Sign the CSR with your CA key
Enter the password for your CA key when asked, and it should do the rest, leaving you with a newcert.pem.
Extract the key from your CSR PEM
Often you need the key in a password-less form so you can use it in non-interactive daemon programs. To extract your key from
newreq.pem in a password-less format, run this:
openssl rsa <newreq.pem >newkey.pem
Your key now lives in
newkey.pem. Rename all these files as you see fit.