Signing a certificate with your own certificate authority

Wednesday, November 10, 2010

In this post I'll describe how to quickly get set up as your own certificate authority and sign a certificate.

First, generate the CA certificate, making sure to fill in the Country Name, State or Province Name, and Common Name:

# cd /etc/pki/tls/certs/
# openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days 3650

Next, generate a key and a certificate signing request. This can be done on a different machine. Again, be sure to fill in the three fields mentioned above.

# openssl genrsa -out server.key 1024
# openssl req -new -key server.key -out server.csr

When this is done, send the CSR file to the CA to be signed, and sign it:

# openssl ca -in server.csr -cert ca.crt -keyfile ca.key -out server.crt -days 3650

Depending on your distribution and configuration, the CA signing process might complain about certain files or directories not being found the first time this is run. If so, the index.txt file should be empty, and the serial file should contain the number 01.

For example, on Fedora/Redhat systems you can do this:

# touch /etc/pki/CA/index.txt
# echo '01' > /etc/pki/CA/serial

Now you're done! The files server.key and server.crt have the private key and the public certificate. You can verify the cert with:

$ openssl verify -CAfile ca.crt server.crt

Tags: authority, certificate, encryption, openssl, sign | Posted at 22:42 | Comments (0)


There are no comments.

Add a comment

Email: (optional, not displayed to public)
URL: (do not fill this in — leave blank!)