Table of Contents
In this article I will share the steps to create Certificate Authority Certificate and then use this CA certificate to sign a certificate.
I have already written multiple articles on OpenSSL, I would recommend you to also check them for more overview on openssl examples:
- Beginners guide to understand all Certificate related terminologies used with openssl
- Generate openssl self-signed certificate with example
- Create your own Certificate Authority and generate a certificate signed by your CA
- Create certificate chain (CA bundle) using your own Root CA and Intermediate Certificates with openssl
- Create server and client certificates using openssl for end to end encryption with Apache over SSL
- Create SAN Certificate to protect multiple DNS, CN and IP Addresses of the server in a single certificate
These are the brief list of steps to create Certificate Authority using OpenSSL:
- Create private key to be used for the certificate.
- Create certificate Authority from the key that you just generated.
- Create Certificate Signing Request for your server.
- Sign the certificate signing request using the key from your CA certificate.
Step 1: Install OpenSSL
On RHEL/CentOS 7/8 you can use yum or dnf respectively while on Ubuntu use apt-get to install openssl rpm
[root@centos8-1 ~]# yum -y install openssl
Step 2: OpenSSL encrypted data with salted password
When we create private key for Root CA certificate, we have an option to either use encryption for private key or create key without any encryption. As if we choose to create private key with encryption such as 3DES, AES then you will have to provide a passphrase every time you try to access the private key.
I have already written another article with the steps for openssl encd data with salted password to encrypt the password file. So I will not repeat the steps here again.
We will use the same encrypted password file for all our examples in this article to demonstrate openssl create certificate chain examples.
Step 3: Generate Private Key
First generate private key ca.key, we will use this private key to create Certificate Authority certificate
[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
....................................++++
e is 65537 (0x010001)
OpenSSL verify Private Key content
To verify the content of private key we created above use openssl command as shown below:
[root@centos8-1 certs]# openssl rsa -noout -text -in ca.key -passin file:mypass.enc
Step 4: Create Certificate Authority Certificate
Now we will use the private key with openssl to create certificate authority certificate ca.cert.pem. OpenSSL uses the information you specify to compile a X.509 certificate using the information prompted to the user, the public key that is extracted from the specified private key which is also used to generate the signature.
[root@centos8-1 certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Karnataka Locality Name (eg, city) [Default City]:Bengaluru Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) []:R&D Common Name (eg, your name or your server's hostname) []:centos8-1 CA Email Address []:admin@golinuxcloud.com
OpenSSL verify CA certificate
To verify CA certificate content using openssl:
[root@centos8-1 certs]# openssl x509 -noout -text -in ca.cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 4a:73:47:ce:49:c6:a7:ab:36:ad:b8:56:bc:73:3a:e4:63:f7:93:14 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com Validity Not Before: Apr 11 15:45:10 2020 GMT Not After : Apr 11 15:45:10 2021 GMT Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) <Output trimmed> X509v3 extensions: X509v3 Subject Key Identifier: 04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94 X509v3 Authority Key Identifier: keyid:04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94 X509v3 Basic Constraints: critical CA:TRUE <Output trimmed>
Step 5: Generate a server key and request for signing (CSR)
This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority
[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................++++
...........................................................................................................++++
e is 65537 (0x010001)
We now generate a Certificate Signing Request which contains some of the info that we want to be included in the certificate. To prove ownership of the private key, the CSR is signed with the subject's private key server.key.Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration.
[root@centos8-1 certs]# openssl req -new -key server.key -out server.csr -passin file:mypass.enc You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Karnataka Locality Name (eg, city) [Default City]:Bengaluru Organization Name (eg, company) [Default Company Ltd]:GoLinuxCloud Organizational Unit Name (eg, section) []:R&D Common Name (eg, your name or your server's hostname) []:server Email Address []:admin@golinuxcloud.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
OpenSSL verify server key content
We can use the same command as we used to verify ca.key content
[root@centos8-1 certs]# openssl rsa -noout -text -in server.key -passin file:mypass.enc
OpenSSL verify Certificate Signing Request (CSR)
To verify openssl CSR certificate use below command:
[root@centos8-1 certs]# openssl req -noout -text -in server.csr Certificate Request: Data: Version: 1 (0x0) Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) <Output trimmed>
Step 6: Sign a certificate with CA
In this command we will issue this certificate server.crt, signed by the CA root certificate ca.cert.pem and CA key ca.key which we created in the previous command.
Openssl takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number using CAcreateserial, and output the signed key in the file named server.crt
[root@centos8-1 certs]# openssl x509 -req -days 365 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:mypass.enc
Signature ok
subject=C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com
Getting CA Private Key
OpenSSL verify server certificate
Verify server certificate content using openssl:
[root@centos8-1 certs]# openssl x509 -noout -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 69:ee:7f:8f:12:77:b3:0b:75:b8:ac:eb:66:df:bf:50:82:bf:64:b0 Signature Algorithm: sha256WithRSAEncryption Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = centos8-1 CA, emailAddress = admin@golinuxcloud.com Validity Not Before: Apr 11 15:50:23 2020 GMT Not After : Apr 11 15:50:23 2021 GMT Subject: C = IN, ST = Karnataka, L = Bengaluru, O = GoLinuxCloud, OU = R&D, CN = server, emailAddress = admin@golinuxcloud.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) <Output trimmed>
server.key for your Apache or other services, then it will ask for password every time you restart the respective service. You can choose to remove the passphrase by using openssl rsa -in server.key -out server.key.insecure -passin file:mypass.enc and then use insecure version of server.key for your services
Lastly I hope the steps from the article to create Certificate Authority and sign a certificate with a CA on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
Create Certificate Authority using OpenSSL
Related Searches: ca self signed certificate, how to sign a certificate, create certificate authority, create self signed ca certificate openssl, generate root ca certificate
Thanks for providing this! i have a question, if i want to authenticate client by a his certificate, should i use a root CA ( as you did in the next article ) or i just generate a client key and CSR then sign it with the same CA as the server ?
( i am using Apache server locally on my virtual machine).
Hello, root CA and the CA I use here are not different. it is just that the root CA you are referring was used to create a certificate chain. So you can just create your own CA and use that to sign your certificate along with CSR
Thanks a lot ! that was helpful 😀
one more question please! should i use more than 1 virtual machine as u did in “OpenSSL create client certificate & server certificate with example” article ? you mentionned that we need to have a CentOS 8 running on Oracle VirtualBox? should i do the same here?
You can use any machine that wouldn’t matter, just make sure you use proper CN while generating CSR as that is all what matters.
Hi Admin,
i have created certificate with Root CA and intermediate and then self-sign but still, it’s showing your CA is not valid as it was from un authorized CA store so how can I resolve the issues ??
Can you post the exact error you get and what are you trying to do when you get this error? apache server?.
CAN not valid would generally mean that you are not using the CA which was used to sign the certificate
Nice article, really helpful – Thanks!
But in the “HINT” at the end, to remove the password from the server.key file, I think the command needs to also take the pass file, ie:
?
Yes, you are correct. Thanks for highlighting, I have tested the same and updated the article
To encrypt:
To decrypt:
Great, thanks again.
Hi
Very helpful articles so thanks for sharing this information.
Followed the guidance in this article on how to create and use a CA for signing certificates but unfortunately could not get it to work with curl on my Windows 10 machine
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I was able to use curl with self-signed certificates but this CA certificate just isn’t working. I’ve searched online but advice appears to be related to using the curl lib rather then the cmdline.
Any ideas ?
Thanks
Hi,
Thanks for the neat explanation..
I able to create a certs properly, so my understanding is Signing with CA means we will be the CA authority which literally own CA.
when I tried to verify it whether CA signed or not I am getting an error message as below.
———–
please suggest how can I verify its CA signed or not ?
This would mean that the
ca.cert.pemwas not used to signserver.crtJust to say “thank you” for this amazing tutorial.