Creating Your Own CA // Dan's Tech Journey

Creating your own CA for certificate management is a great way to have trusted certificates outside of officially signed certs. If certificates are created and signed using this CA and the CA is trusted, the new cert will also be trusted. This guide will show how to create a CA certificate.

Creating CA

We generate the certificates for the CA First. It is the same process as generating a normal certificate.

openssl genrsa -out rootCAKey.pem 2048
openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem

That’s it! The CA is created and self-signed. You can change the number of days in the command from 3650 to whatever you need.

Creating Cert Request

When signing a certificate you can use a configuration file to quicken the process and add alternate names. Here is an example configuration we will call newServerCertReq.config.

[req]
req_extensions = v3_req
distinguished_name = dn
prompt = no

[dn]
CN = <FQDN of your new server>
C = <Country Name (2 letter code)>
L = <Locality Name (eg, city)>
O = <Organization Name (eg, company)>
OU = <Organizational Unit Name (eg, section)>

[v3_req]
subjectAltName = DNS:<FQDN of your new server>

Run the following commands to generate a key and certificate request that we will later sign with our CA cert. If you aren’t using a configuration file you can drop the -config argument.

openssl genrsa -out newServerKey.pem 2048
openssl req -new -key newServerKey.pem -sha256 -out newServerCert.csr
openssl x509 -req -sha256 -in newServerCert.csr -CA ./rootCACert.pem -CAkey ./rootCAKey.pem -CAcreateserial -out newServerCert.pem -days 365 -config newServerCertReq.config

Signing Cert

Create a file called san.ext with the Subject Alternate Names like the below file.

subjectAltName = DNS:<FQDN>

Then sign the cert with the following command. If you aren’t using an alternate name file then leave out the -extfile argument.

openssl x509 -req -sha256 -in newServerCert.csr -CA ./rootCACert.pem -CAkey ./rootCAKey.pem -CAcreateserial -out newServerCert.pem -days 365 -extfile san.ext

Conclusion

Any certs needed can be signed this way. The CA public certificate can be added to a web browser to ensure any sites with a signed certificate from this CA are trusted.