How to create a private CA (Certification Authority)

Sometimes your need to create a private Certification Authority (CA) for asymmetric cryptography (generating privates certificates), testing certificates emission, or testing SSL secured scenarios without buying certificates from official CAs. Here is a little guide to help you create your own CA.

Install OpenSSL

sudo apt-get update
sudo apt-get install openssl

Setup the PKI folder

First of all, you need to set up your environment for creating the CA.

mkdir /etc/pki/CA

After that, create the directories for certificates and their associated files.

cd /etc/pki/CA/
mkdir private
mkdir ca
mkdir certs
mkdir newcerts
mkdir crl

After that, initialize the files to track the issued/revoked certificates. The index.txt file stores the information about certificates created by the CA. The serial/crlnumber file stores the serial number for the next certificate created/revoked by the CA.

touch index.txt
echo 01 > serial
echo 01 > crlnumber

Create the CA

Edit the openssl.cnf.

nano /etc/ssl/openssl.cnf

In the [CA_default] section, you need to put the directories previously created. By default, they have different.

...
####################################################################
[ CA_default ]

dir = /etc/pki/CA

certs = $dir/certs # For issued certs
crl_dir = $dir/crl # For issued crl
database = $dir/index.txt # database index file.
#unique_subject = no

new_certs_dir = $dir/newcerts # place for new certs.

certificate = $dir/certs/ca.crt # The CA certificate
serial = $dir/serial # The current s. number
crlnumber = $dir/crlnumber # the current crl number

crl = $dir/crl/ca.crl # The current CRL
private_key = $dir/private/ca.key # The private key
...

Now it is possible to create the private RSA key for the CA.

openssl genrsa -des3 -out private/ca.key

Then there is a prompt asking you for a password. For example, we define the password as example-password.

After that, you need to create the Certificate Signing Request (CSR), which defines the following elements.

  • Country Code (C): PT
  • State/Region (ST): Coimbra
  • Location/City (L): Coimbra
  • Organization (O): MyOrg
  • Organization Unit (OU): MyOrgDep
  • Common Name (CN): CA
  • E-Mail (emailAddress): ca@example.com

The following command defines inline the information of the Certificate Signing Request with the -subj flag. With the -passin flag, we input the password directly for signing the CSR.

openssl req -new -key private/ca.key -out ca/ca.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=CA/emailAddress=ca@example.com -passin pass:example-password

After that, you need to self-sign the CA certificate with its private key for ten years (3650 days).

openssl x509 -req -days 3650 -in ca/ca.csr -out certs/ca.crt        -signkey private/ca.key -passin pass:example-password

You can now verify if the CA is created.

openssl x509 -in certs/ca.crt -text

Install the CA on the browser

Now we can easily import the ca.crt file into our browser following these steps (in firefox):

  1. Go to Settings
  2. Go to Privacy & Security
  3. Go to Certificates
  4. Click View Certificate
  5. Go to Authorities
  6. Click in Import
  7. Import the ca.crt file

Congratulations, you now have your own Certification Authority!

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Home Wireless Improvement Tips for WFH Parents.

Understanding MITRE ATT&CK & Cyber Kill Chain framework

ATT&CK terminology

Promote ZBG Exchange & SpaceVikings to share 1000 Billion SVT+6666USDT+58,888ZT

Quick guide for setting up proxychains

How to use Binance Smart Chain

Confusion Matrix And Cyber Security

RARA NFT Airdrop Coming Soon On CoinMarketCap

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dylan Perdigão

Dylan Perdigão

More from Medium

8 SEO tools to get Google Search Console URL Inspection API insights

What You Missed: The Big Big Spark Recap | CoinStats Blog

CoinStats BigBig Spark event

How we build a successful virtualization stack in 2022

Send email with an attachment and HTML body in WSO2 MI