Navigation Menu


Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.

Certificate Authority

Openssl has infrstructure to create a long lived Certificate Authority


Certificates signed are tracked. Index file is database for certs in ”’newcerts”’


Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification



Configure a Certificate Authority (Openssl Infrastructure)

Setup openssl.conf file






Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.


Generate New Self Signed Certificate

Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it’s lifetime.


Then sign it


Verifiy it


Special Operations

Modify CA Script to Prevent Key Encryption

There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.


Change from:


This tells openssl not to encrypt the generated private key. This option stands for no DES.




These commands can be much easier to memorize and use than raw openss with all of it’s options. This method also tracks certs and enables a sane method for tracking active and revoked certs.


Post a Reply

Your email address will not be published.