OpenSSL Certificate Authority


Recently, I discovered how to use the openssl provided CA script to create a certificate authority and self signed certificates. Traditionally, I had ran all fo the commands manually. When using the CA script it is critical to understand the underlying security concepts.

Certificate Authority

Openssl has infrstructure to create a long lived Certificate Authority



Certificates signed are tracked. Index file is database for certs in ”’newcerts”’



Scripts which come with the openssl package on RHEL can be used to build a certificate authority, complete signing requests, signings, verification

/etc/pki/tls/misc/CA -h



Configure a Certificate Authority (Openssl Infrastructure)

Setup openssl.conf file

vim /etc/pki/tls/openssl.conf



private_key = cakey.pem
certificate = cacert.pem
crl = crl.pem


countryName_default = US
stateOrProvinceName_default = Ohio
localityName_default = Akron
0.organizationName_default = Crunchtools


Create the certificate authority. Remember to put in a Common Name, or the Certificate Authority will not be built correctly and will be unusable.

/etc/pki/tls/misc/CA -newca


Generate New Self Signed Certificate

Create the signing request, then sign it with your CA. If you generate a new certificate with the CA script, it will not be signed at all. This method keeps track of all certificate in the CA directory. This tracking mechanism allows a certificate to be revoked should it become compromised during it’s lifetime.

/etc/pki/tls/misc/CA -newreq


Then sign it

/etc/pki/tls/misc/CA -sign


Verifiy it

/etc/pki/tls/misc/CA -verify


Special Operations

Modify CA Script to Prevent Key Encryption

There are times when an administrator would like to generate a key that is not encrypted. For example this will allow the key to start in apache, postfix, dovecot, or vsftpd. This can be done by modifying CA.

vim /etc/pki/tls/misc/CA


Change from:



This tells openssl not to encrypt the generated private key. This option stands for no DES.




These commands can be much easier to memorize and use than raw openss with all of it’s options. This method also tracks certs and enables a sane method for tracking active and revoked certs.


Leave a Reply

Your email address will not be published. Required fields are marked *