Create Certificate Authority and sign a certificate with Root CA

In this article I will share the steps to create Certificate Authority Certificate and then use this CA certificate to sign a certificate.

I have already written multiple articles on OpenSSL, I would recommend you to also check them for more overview on openssl examples:

 

These are the brief list of steps to create Certificate Authority using OpenSSL:

  • Create private key to be used for the certificate.
  • Create certificate Authority from the key that you just generated.
  • Create Certificate Signing Request for your server.
  • Sign the certificate signing request using the key from your CA certificate.

 

Step 1: Install OpenSSL

On RHEL/CentOS 7/8 you can use yum or dnf respectively while on Ubuntu use apt-get to install openssl rpm

NOTE:

On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@centos8-1 ~]# yum -y install openssl

 

Step 2: OpenSSL encrypted data with salted password

When we create private key for Root CA certificate, we have an option to either use encryption for private key or create key without any encryption. As if we choose to create private key with encryption such as 3DES, AES then you will have to provide a passphrase every time you try to access the private key.

I have already written another article with the steps for openssl encd data with salted password to encrypt the password file. So I will not repeat the steps here again.

We will use the same encrypted password file for all our examples in this article to demonstrate openssl create certificate chain examples.

 

Step 3: Generate Private Key

First generate private key ca.key, we will use this private key to create Certificate Authority certificate

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
....................................++++
e is 65537 (0x010001)

 

OpenSSL verify Private Key content

To verify the content of private key we created above use openssl command as shown below:

[root@centos8-1 certs]# openssl rsa -noout -text -in ca.key -passin file:mypass.enc

 

Step 4: Create Certificate Authority Certificate

Now we will use the private key with openssl to create certificate authority certificate ca.cert.pem. OpenSSL uses the information you specify to compile a X.509 certificate using the information prompted to the user, the public key that is extracted from the specified private key which is also used to generate the signature.

[root@centos8-1 certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:centos8-1 CA
Email Address []:admin@golinuxcloud.com

 

OpenSSL verify CA certificate

To verify CA certificate content using openssl:

[root@centos8-1 certs]# openssl x509 -noout -text -in ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:73:47:ce:49:c6:a7:ab:36:ad:b8:56:bc:73:3a:e4:63:f7:93:14
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Validity
            Not Before: Apr 11 15:45:10 2020 GMT
            Not After : Apr 11 15:45:10 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

             <Output trimmed>

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
            X509v3 Authority Key Identifier:
                keyid:04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94

            X509v3 Basic Constraints: critical
                CA:TRUE

            <Output trimmed>

 

Step 5: Generate a server key and request for signing (CSR)

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................++++
...........................................................................................................++++
e is 65537 (0x010001)

We now generate a Certificate Signing Request which contains some of the info that we want to be included in the certificate. To prove ownership of the private key, the CSR is signed with the subject's private key server.key.Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration.

[root@centos8-1 certs]# openssl req -new -key server.key -out server.csr -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:server
Email Address []:admin@golinuxcloud.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

OpenSSL verify server key content

We can use the same command as we used to verify ca.key content

[root@centos8-1 certs]# openssl rsa -noout -text -in server.key -passin file:mypass.enc

 

OpenSSL verify Certificate Signing Request (CSR)

To verify openssl CSR certificate use below command:

[root@centos8-1 certs]# openssl req -noout -text -in server.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

 

Step 6: Sign a certificate with CA

In this command we will issue this certificate server.crt, signed by the CA root certificate ca.cert.pem and CA key ca.key which we created in the previous command.

Openssl takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number using CAcreateserial, and output the signed key in the file named server.crt

[root@centos8-1 certs]# openssl x509 -req -days 365 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:mypass.enc
Signature ok
subject=C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
Getting CA Private Key

 

OpenSSL verify server certificate

Verify server certificate content using openssl:

[root@centos8-1 certs]# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            69:ee:7f:8f:12:77:b3:0b:75:b8:ac:eb:66:df:bf:50:82:bf:64:b0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com
        Validity
            Not Before: Apr 11 15:50:23 2020 GMT
            Not After : Apr 11 15:50:23 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

 

Lastly I hope the steps from the article to create Certificate Authority and sign a certificate with a CA on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
Create Certificate Authority using OpenSSL

 

Related Searches:  ca self signed certificate, how to sign a certificate, create certificate authority, create self signed ca certificate openssl, generate root ca certificate

5 thoughts on “Create Certificate Authority and sign a certificate with Root CA”

  1. Thanks for providing this! i have a question, if i want to authenticate client by a his certificate, should i use a root CA ( as you did in the next article ) or i just generate a client key and CSR then sign it with the same CA as the server ?
    ( i am using Apache server locally on my virtual machine).

    Reply
    • Hello, root CA and the CA I use here are not different. it is just that the root CA you are referring was used to create a certificate chain. So you can just create your own CA and use that to sign your certificate along with CSR

      Reply
        • one more question please! should i use more than 1 virtual machine as u did in "OpenSSL create client certificate & server certificate with example" article ? you mentionned that we need to have a CentOS 8 running on Oracle VirtualBox? should i do the same here?

          Reply

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.