FreeKB - OpenSSL Create root certificate authority (CA)
OpenSSL - Create root certificate authority (CA)

The easist way to install the latest stable version of OpenSSL is to use apt-get or yum.

apt-get install openssl
yum install openssl

 


Private key

This assumes you've already created a private key, such as example.com.key. If not, refer to our article on creating a private key.

 


Config File

A confg file is not required to be able to create a new certificate. However, if you have not created a config file, you will be prompted for input when creating the public certificate. If you want to avoid being prompted for values, refer to our article on creating a config file.

 


Public Certificate (aka X.509)

The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.

 


Interactive Prompt Method

If you have not created a config file, then you will prompted for values during the creation of the public certificate. In this example, a CA certificate named rootCA.pem will be created. Both .crt and .pem are valid file extensions for the certfificate.

openssl req -new -x509 -days 365 -sha512 -key rootCA.key -out rootCA.pem

 


Config File Method

If you have created a config file, then you will not be prompted for values during the creation of the public certificate. In this scenario, you would use the -config option followed by the config file. The CA certificate will contain the values specified in the config file. Both .crt and .pem are valid file extensions for the certfificate.

openssl req -new -x509 -days 365 -sha512 -key rootCA.key -out rootCA.pem -config rootCA.config

 


Append public certificates to the root certificate

Numerous "child" public certificates can be appended to a single root CA.

 

Create a "child" public certificate in the root CA.

openssl x509 -req -CAcreateserial -sha256 -days 365 -in rootCA.csr -CA rootCA.pem -CAkey rootCA.key -out rootCA.crt

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 561ad in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |