This tutorial walks you through OpenSSL and Public Key Infrastructure (PKI) from first principles - what a CA actually is, how certificates are signed, and why everyone keeps confusing openssl ca with openssl x509. We then build a complete two-tier PKI (Root CA + Intermediate CA), issue real server and client certificates with proper x509 extensions, set up mutual TLS, and cover the full lifecycle through renewal and revocation.
Every command is tested on a fresh Linux VM and uses real config files (openssl.cnf) rather than throwaway one-liners. On Ubuntu workstations, confirm the CLI with install OpenSSL on Ubuntu before you start. By the end you will be able to operate a small internal CA confidently - the same skills used by Kubernetes admins, VPN administrators, and anyone running internal HTTPS services.
Click Start the course to begin with the PKI fundamentals chapter, or jump straight to the section you need - certificate generation, renewal, and revocation are the three most-bookmarked.

