Create Certificate Authority and sign a certificate with Root CA


Written by - Deepak Prasad

In this article I will share the steps to create Certificate Authority Certificate and then use this CA certificate to sign a certificate.

I have already written multiple articles on OpenSSL, I would recommend you to also check them for more overview on openssl examples:

 

These are the brief list of steps to create Certificate Authority using OpenSSL:

  • Create private key to be used for the certificate.
  • Create certificate Authority from the key that you just generated.
  • Create Certificate Signing Request for your server.
  • Sign the certificate signing request using the key from your CA certificate.

 

Step 1: Install OpenSSL

On RHEL/CentOS 7/8 you can use yum or dnf respectively while on Ubuntu use apt-get to install openssl rpm

NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@centos8-1 ~]# yum -y install openssl

 

Step 2: OpenSSL encrypted data with salted password

When we create private key for Root CA certificate, we have an option to either use encryption for private key or create key without any encryption. As if we choose to create private key with encryption such as 3DES, AES then you will have to provide a passphrase every time you try to access the private key.

I have already written another article with the steps for openssl encd data with salted password to encrypt the password file. So I will not repeat the steps here again.

We will use the same encrypted password file for all our examples in this article to demonstrate openssl create certificate chain examples.

 

Step 3: Generate Private Key

First generate private key ca.key, we will use this private key to create Certificate Authority certificate

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
....................................++++
e is 65537 (0x010001)

 

OpenSSL verify Private Key content

To verify the content of private key we created above use openssl command as shown below:

[root@centos8-1 certs]# openssl rsa -noout -text -in ca.key -passin file:mypass.enc

 

Step 4: Create Certificate Authority Certificate

Now we will use the private key with openssl to create certificate authority certificate ca.cert.pem. OpenSSL uses the information you specify to compile a X.509 certificate using the information prompted to the user, the public key that is extracted from the specified private key which is also used to generate the signature.

[root@centos8-1 certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:centos8-1 CA
Email Address []:admin@golinuxcloud.com

 

OpenSSL verify CA certificate

To verify CA certificate content using openssl:

[root@centos8-1 certs]# openssl x509 -noout -text -in ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:73:47:ce:49:c6:a7:ab:36:ad:b8:56:bc:73:3a:e4:63:f7:93:14
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Validity
            Not Before: Apr 11 15:45:10 2020 GMT
            Not After : Apr 11 15:45:10 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

             <Output trimmed>

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
            X509v3 Authority Key Identifier:
                keyid:04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94

            X509v3 Basic Constraints: critical
                CA:TRUE

            <Output trimmed>

 

Step 5: Generate a server key and request for signing (CSR)

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................++++
...........................................................................................................++++
e is 65537 (0x010001)

We now generate a Certificate Signing Request which contains some of the info that we want to be included in the certificate. To prove ownership of the private key, the CSR is signed with the subject's private key server.key.Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration.

[root@centos8-1 certs]# openssl req -new -key server.key -out server.csr -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:server
Email Address []:admin@golinuxcloud.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

OpenSSL verify server key content

We can use the same command as we used to verify ca.key content

[root@centos8-1 certs]# openssl rsa -noout -text -in server.key -passin file:mypass.enc

 

OpenSSL verify Certificate Signing Request (CSR)

To verify openssl CSR certificate use below command:

[root@centos8-1 certs]# openssl req -noout -text -in server.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

 

Step 6: Sign a certificate with CA

In this command we will issue this certificate server.crt, signed by the CA root certificate ca.cert.pem and CA key ca.key which we created in the previous command.

Openssl takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number using CAcreateserial, and output the signed key in the file named server.crt

[root@centos8-1 certs]# openssl x509 -req -days 365 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:mypass.enc
Signature ok
subject=C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
Getting CA Private Key

 

OpenSSL verify server certificate

Verify server certificate content using openssl:

[root@centos8-1 certs]# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            69:ee:7f:8f:12:77:b3:0b:75:b8:ac:eb:66:df:bf:50:82:bf:64:b0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Validity
            Not Before: Apr 11 15:50:23 2020 GMT
            Not After : Apr 11 15:50:23 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

 

Lastly I hope the steps from the article to create Certificate Authority and sign a certificate with a CA on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
Create Certificate Authority using OpenSSL

 

Related Searches:  ca self signed certificate, how to sign a certificate, create certificate authority, create self signed ca certificate openssl, generate root ca certificate

Views: 105

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can reach out to him on his LinkedIn profile or join on Facebook page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

14 thoughts on “Create Certificate Authority and sign a certificate with Root CA”

  1. Thanks for providing this! i have a question, if i want to authenticate client by a his certificate, should i use a root CA ( as you did in the next article ) or i just generate a client key and CSR then sign it with the same CA as the server ?
    ( i am using Apache server locally on my virtual machine).

    Reply
    • Hello, root CA and the CA I use here are not different. it is just that the root CA you are referring was used to create a certificate chain. So you can just create your own CA and use that to sign your certificate along with CSR

      Reply
        • one more question please! should i use more than 1 virtual machine as u did in “OpenSSL create client certificate & server certificate with example” article ? you mentionned that we need to have a CentOS 8 running on Oracle VirtualBox? should i do the same here?

          Reply
            • Hi Admin,

              i have created certificate with Root CA and intermediate and then self-sign but still, it’s showing your CA is not valid as it was from un authorized CA store so how can I resolve the issues ??

              Reply
              • Can you post the exact error you get and what are you trying to do when you get this error? apache server?.
                CAN not valid would generally mean that you are not using the CA which was used to sign the certificate

                Reply
  2. Nice article, really helpful – Thanks!

    But in the “HINT” at the end, to remove the password from the server.key file, I think the command needs to also take the pass file, ie:

    openssl rsa -in server.key -out server.key.insecure --inpass file:mypass.enc

    ?

    Reply
    • Yes, you are correct. Thanks for highlighting, I have tested the same and updated the article
      To encrypt:

      openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096

      To decrypt:

      # openssl rsa -in server.key -out server.key.insecure -passin file:mypass.enc
      writing RSA key
      Reply
  3. Hi

    Very helpful articles so thanks for sharing this information.

    Followed the guidance in this article on how to create and use a CA for signing certificates but unfortunately could not get it to work with curl on my Windows 10 machine

    curl -X POST --cacert cacert.pem -d @data.json https://my.domain.com/api -H "Content-Type:application/json"
    
    curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
    More details here: https://curl.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.

    curl -V
    curl 7.83.1 (Windows) libcurl/7.83.1 Schannel
    Release-Date: 2022-05-13
    Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
    Features: AsynchDNS HSTS IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets

    I was able to use curl with self-signed certificates but this CA certificate just isn’t working. I’ve searched online but advice appears to be related to using the curl lib rather then the cmdline.

    Any ideas ?

    Thanks

    Reply
  4. Hi,
    Thanks for the neat explanation..
    I able to create a certs properly, so my understanding is Signing with CA means we will be the CA authority which literally own CA.
    when I tried to verify it whether CA signed or not I am getting an error message as below.
    ———–

    $openssl verify -verbose -CAfile ca.cert.pem server.crt
    C = US, ST = Denver, L = Colorado, O = domain INC, OU = Quantum, CN = domain.com, emailAddress = veera@domain.com
    error 18 at 0 depth lookup: self signed certificate
    error server.crt: verification failed

    please suggest how can I verify its CA signed or not ?

    Reply

Leave a Comment