Linux : How can I create and use my own Certificate Authority (CA)?

How can I create and use my own Certificate Authority (CA)?

1. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):

$ openssl genrsa -des3 -out ca.key 1024

Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command

$ openssl rsa -noout -text -in ca.key

And you can create a decrypted PEM version (not recommended) of this private key via:

$ openssl rsa -in ca.key -out ca.key.unsecure

2. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You can see the details of this Certificate via the command:

$ openssl x509 -noout -text -in ca.crt

3. Prepare a script for signing which is needed because the “openssl ca” command has some strange requirements and the default OpenSSL config doesn’t allow one easily to use “openssl ca” directly. So a script named is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

4. Now you can use this CA to sign server CSR’s in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):

$ ./ server.csr

This signs the server CSR and results in a server.crt file.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.