Setting Up a Certificate Authority(4.2)

This page explains how to set up a CA. In the following example it is called Test CA.

  1. To start Test CA, we need a private key. This is the top secret of the CA. If this is compromised then the CA is doomed! All certificates issued by this CA will be revoked. This is why the root private key is so important and often kept off-line necessitating a multi-tier hierarchy. For our Test CA, we need to create the key-pair and create a Certificate Signing Request (CSR) for the root CA's public key.

    This CSR is for the CA itself.


     These two steps can be done in a single command using SSL as follows:

    $ openssl req -new -keyout cakey.pem -out careq.pem

    When prompted for Common Name, the hostname where the certificate is valid should be entered, for example localhost. Other values can be anything.

  2. Now we need to generate a certificate out of Test CA's CSR. Obviously this would be self signed. The following OpenSSL command is used to generate a self signed certificate form the CSR.

    openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca


  3. At this point you have self signed root certificate of our Test CA. This certificate, caroot.cer, along with the private key, cakey.pem, will be used to sign others certificates. This root public certificate should be publicly available and must be trusted by programs.

    Test CA is ready, you need to note that when a CA issues a new certificate, it will put a unique serial number into that certificate. So you need to tell OpenSSL what is the next serial number to use. To do that, create a serial.txt file containing a serial number in the same directory as cakey.pem and caroot.cer

    $ echo 1234 > serial.txt