How to create a private CA (Certification Authority)

Sometimes your need to create a private Certification Authority (CA) for asymmetric cryptography (generating privates certificates), testing certificates emission, or testing SSL secured scenarios without buying certificates from official CAs. Here is a little guide to help you create your own CA.

Install OpenSSL

sudo apt-get update
sudo apt-get install openssl

Setup the PKI folder

First of all, you need to set up your environment for creating the CA.

mkdir /etc/pki/CA

After that, create the directories for certificates and their associated files.

cd /etc/pki/CA/
mkdir private
mkdir ca
mkdir certs
mkdir newcerts
mkdir crl

After that, initialize the files to track the issued/revoked certificates. The index.txt file stores the information about certificates created by the CA. The serial/crlnumber file stores the serial number for the next certificate created/revoked by the CA.

touch index.txt
echo 01 > serial
echo 01 > crlnumber

Create the CA

Edit the openssl.cnf.

nano /etc/ssl/openssl.cnf

In the [CA_default] section, you need to put the directories previously created. By default, they have different.

...
    ####################################################################
    [ CA_default ]

    dir             = /etc/pki/CA

    certs           = $dir/certs            # For issued certs
    crl_dir         = $dir/crl              # For issued crl
    database        = $dir/index.txt        # database index file.
    #unique_subject = no                    
                                            
    new_certs_dir   = $dir/newcerts         # place for new certs.

    certificate     = $dir/certs/ca.crt     # The CA certificate
    serial          = $dir/serial           # The current s. number
    crlnumber       = $dir/crlnumber        # the current crl number
                                            
    crl             = $dir/crl/ca.crl       # The current CRL
    private_key     = $dir/private/ca.key   # The private key
...

Now it is possible to create the private RSA key for the CA.

openssl genrsa -des3 -out private/ca.key

Then there is a prompt asking you for a password. For example, we define the password as example-password.

After that, you need to create the Certificate Signing Request (CSR), which defines the following elements.

• Country Code (C): PT
• State/Region (ST): Coimbra
• Location/City (L): Coimbra
• Organization (O): MyOrg
• Organization Unit (OU): MyOrgDep
• Common Name (CN): CA
• E-Mail (emailAddress): ca@example.com

The following command defines inline the information of the Certificate Signing Request with the -subj flag. With the -passin flag, we input the password directly for signing the CSR.

openssl req -new -key private/ca.key -out ca/ca.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=CA/emailAddress=ca@example.com -passin pass:example-password

After that, you need to self-sign the CA certificate with its private key for ten years (3650 days).

openssl x509 -req -days 3650 -in ca/ca.csr -out certs/ca.crt        -signkey private/ca.key -passin pass:example-password

You can now verify if the CA is created.

openssl x509 -in certs/ca.crt -text

Install the CA on the browser

Now we can easily import the ca.crt file into our browser following these steps (in firefox):

1. Go to Settings
2. Go to Privacy & Security
3. Go to Certificates
4. Click View Certificate
5. Go to Authorities
6. Click in Import
7. Import the ca.crt file

Congratulations, you now have your own Certification Authority!