Disclamer

This is not intented to be an official howto, nor anything like that. This is more than anything else a toturial for myself. I need this king of information with some frequence, so I decided to archive it, and since I think this information can be useful for other, here it is.

Notes

commands are shown in monospace, with the parts you type shown in bold.

What it takes

1. OpenSSL on a linux system (no reconfig need).
2. the certificate request you want to sign.

RoadMap

Preparing the working dirs

• Create a working directory yourCA and chdir to it.
• Create some dir and files, required by openssl (some at least):


yourCA$ mkdir keys
yourCA$ mkdir certs
yourCA$ mkdir requests
yourCA$ mkdir -p demoCA/newcerts
yourCA$ echo 01 >demoCA/serial
yourCA$ touch demoCA/index.txt


Set up a Certificate Authority

• Create an private key that will be used with our CA:

yourCA$ openssl genrsa -out keys/ca.key 2048

This will ask (and reask) for a password. Choose one you can easily remember, since you'll need it anytime you would sign another certificate with this CA.

This will create a key file at keys/ca.key, containing the private key we will use for our CA.

• Then we create a master certificate based on that key:

yourCA$ openssl req -new -x509 -days 5000 -key keys/ca.key -out certs/ca.cer

• This last, optional step, is optional, and creates a pkcs12 root certificate, that windows users can import to their browser:

yourCA$ openssl pkcs12 -export -in certs/ca.cer -inkey keys/ca.key -out certs/ca.p12

Sign the Certificate Request

• Copy the certificate request to the yourCA/requests dir. from now on I'll assume a certificate called request.req.
• Sign the request:

yourCA$ openssl ca -policy_anything -cert certs/ca.cer -keyfile keys/ca.key -in requests/request.req -days 730 -out certs/request.cer

Important things in this command line:

• -policy policy_anything - this is a relaxed policy, that allows certifying requests that have name, country, etc diferent from our CA. You can use -policy policy_match for a more restrictive policy.
• -in requests/request.req - the certificate request we are signing.
• -days 730 - We are signing a certificate for 2 years. you should use a number for the time you want to sign the certificate.

• Convert the signed certificate into x509 format. This format is prefered (and for some servers the only valid):

yourCA$ openssl x509 -in certs/request.cer -out certs/request.x509.cer

Credits

This is a derevative work, based in that published as GNU free Documentation License by Dylan Beattie at the homepage of dylan beattie. His example is based on dos, this on on linux.