Create a Certificate Authority (CA) using OpenSSL
In this article we are going to discuss how to set up a Certificate Authority (CA). You can find the scripts and configuration files in the Github location here. We are following 5 steps to create and initialize our Certificate Authority.
- Setting up the directories
- Initialize the CA
- Create the Certificate Authority (CA)
- Review the generated files
- Completion messages
We are going to use the below script for executing all the above steps.
echo "Setting up the directories"
mkdir ./sslCA
echo "sslCA"
mkdir ./sslCA/certs
echo "sslCA/certs"
mkdir ./sslCA/private
echo "sslCA/private"
mkdir ./sslCA/newcerts
echo "sslCA/newcerts"
echo "Initialize the CA"
cd ./sslCA
echo 1000 > serial
touch index.txt
echo "Creating the CA"
echo "Use a strong password and keep it safe!"
openssl req -new -newkey rsa:2048 -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config ../ca.cnf
echo "Review the generated files"
more ./cacert.pem
more ./private/cakey.pem
echo "sslCA/cacert.pem"
echo "sslCA/private/cakey.pem"
echo "CA created!!!"Let’s go through each step one by one.
Setting up the directories
The intention of this step is to create a directory structure for the CA. Here the below directories are created,
sslCA: Root directory for the CA.sslCA/certs: For storing issued certificates.sslCA/private: For storing private keys.sslCA/newcerts: For storing newly issued certificates.
Initialize the CA
In this section, first command is to move into the sslCA directory. Then it will initializes a serial number file with the value 1000. Each certificate issued by the CA will have a unique serial number starting from this value. And then creates an empty file named index.txt to keep track of issued certificates.
Create the Certificate Authority (CA)
In this section it will execute a openssl command to generate a self-signed certificate for the CA. The command will invoke the openssl command to based on the ca.cnf configuration file. You can refer here for the content of the configuration file. Finally it will saves the private key to private/cakey.pem and self-signed certificate to cacert.pem
Review the generated files
Displays the contents of the generated certificate (cacert.pem) and the private key (cakey.pem) for verification.
Completion messages
Prints the locations of the generated files and a completion message.
So as the first step clone the Github repository. Then navigate into the openssl directory. You will be able to observe the files createCA.sh and ca.cnf files. Execute the createCA.sh script (and also provide the passphrase when prompted) and you will be able to observe the below in your terminal.
And you will be able to observe that a new directory is created as sslCA and multiple sub directories are also created. You can find the public certificate of the CA in the sslCA directory with the name cacert.pem and private key certificate in the sslCA/private directory with the name cakey.pem
So in the in this article, we have discussed how we can create a CA using openssl. Feel free to reach out if you have any questions or need further assistance.
