Creating a sample CA


In contemporary days digital certificates are wide spread for purpose of security communication with web sites, VPN and other purposes. One of the problems is how to create own CA to establish additional level of security in your infrastructure. So, the purpose of this document is to give brief information how to create sample CA for private usage. The main instruments will be OpenSSL and Linux. If SSL package you use and/or operating system are different, format of some or all commands may vary. In the document is used OpenSSL 0.9.8h, if your version is different, please refer to the documentation for changes over the versions.


  1. The first step of creation is to choose repository where the CA files will reside. For me /etc/localCA look enough self-expain and good as location. Directory /opt is not bad choose too, but because of idea or /etc to store config files will be better to use it:

# mkdir –p /etc/localCA

  1. Next we should create two directories to keep certificates issued by authority and keep own certificate. It is highly recommended to keep them in separate “storages”. For example /etc/localCA/certs and /etc/localCA/own looks good.

# mkdir –p /etc/localCA/own /etc/localCA/certs

  1. Then we should create a file, used by OpenSSL to track the serial numbers of certificates, issued by CA and file (empty at the start) to keep track of those certificates

# echo  0001 > /etc/localCA/serial

# > /etc/localCA/list_cert

  1. It’s time to create config file for our CA with name of the file openssl.cnf and put in root directory of our CA. Do not forget to change default parameters as crl_days, days, md and CA policies according to rules of your company (if company usage). Maybe somewhere on your system exist other config file, but we will use much sample one, but enough for our task. For explanations about the different options, please refer the documentation of OpenSSL or SLL package you use.

[ ca ]

default_ca = localCA

[ localCA ]

dir = /etc/localCA

certificate = $dir/cacert.pem

database = $dir/list_cet

new_certs_dir = $dir/certs

private_key = $dir/own/cakey.pem

serial = $dir/serial

default_crl_days = 7

default_days = 730

default_md = sha1

policy = localCA_policy

x509_extensions = certificate_extensions

[ localCA_policy ]

commonName = supplied

countryName = optional

emailAddress = supplied

organizationName = supplied

organizationalUnitName = optional

[ certificate_extensions ]

basicConstraints = CA:false

  1. Tell OpenSSL where the config file is located:

# export OPENSSL_CONF=/etc/localCA/openssl.cnf

  1. Next step is to create self-signed certificate for our CA. For this task we will create “response file”, because always exist possibility of error when you enter information by hand, so we will add those lines below to our config file

[ req ]

default_bits = 2048

default_keyfile = /etc/localCA/own/cakey.pem

default_md = sha1

prompt = no

distinguished_name = root_ca_local

x509_extensions = root_ca_extensions

[ root_ca_local ]

commonName = Local CA

emailAddress =

organizationName = Root Certification Authority

[ root_ca_extensions ]

basicConstraints = CA:true

  1. Lets generate self-signet certificate for our CA:

# openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM –days 730

Generating a 2048 bit RSA private key



writing new private key to ‘/etc/localCA/own/cakey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:


  1. Et voila, our CA is ready to issue certificates for our local usage. Let’s test and create one. First we need to “clear” the environment variable for config file


  1. Then let’s create request

# openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM

Generating a 1024 bit RSA private key



writing new private key to ‘testkey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.


Country Name (2 letter code) [AU]:BG

State or Province Name (full name) [Some-State]:.

Locality Name (eg, city) []:.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local

Organizational Unit Name (eg, section) []:.

Common Name (eg, YOUR name) []:Test

Email Address []

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

  1. Issue the certificate from this request:

# export OPENSSL_CONF=/etc/localCA/openssl.cnf

# openssl ca -in testreq.pem

Using configuration from /etc/localCA/openssl.cnf

Enter pass phrase for /etc/localCA/own/cakey.pem:

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName           :PRINTABLE:’BG’

organizationName      :PRINTABLE:’Local’

commonName            :PRINTABLE:’Test’

emailAddress          :IA5STRING:’’

Certificate is to be certified until Aug  2 21:40:51 2010 GMT (730 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries



Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: CN=Local CA/, O=Root Certification Authority

<output snipped>

  1. Now in directory /etc/localCA/certs we have file with name of serial number of certificate and extension pem from the output format. And that’s all.

Final notes

This manual is just a simplified example of process of creation of CA and do not replace the need of read and understand the documentation. Of course there are many products, simplifying most of the work, but to understand better the process nothing can replace old fashion command line tools.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: