PDF download Download Article
An easy-to-follow guide on being your own CA
PDF download Download Article

Getting an SSL certificate from any of the major Certificate Authorities (CAs) can run $100 and up. Add to the mix, news stories which seem to indicate that not all of the established CAs can be trusted 100% of the time and you might decide to circumvent the uncertainty and erase the cost by being your own Certificate Authority.

Part 1
Part 1 of 4:

Creating your CA Certificate

PDF download Download Article
    • openssl genrsa -des3 -out server.CA.key 2048
    • The options explained
      • openssl - the name of the software
      • genrsa - creates a new private key
      • -des3 - encrypt the key using the DES cipher
      • -out server.CA.key - the name of your new key
      • 2048 - the length, in bits, of the private key (Please see the warnings)
    • Store this certificate and the password in a safe place.
    • openssl req -verbose -new -key server.CA.key -out server.CA.csr -sha256
    • The options explained:
      • req - Creates a Signing Request
      • -verbose - shows you details about the request as it is being created (optional)
      • -new - creates a new request
      • -key server.CA.key - The private key you just created above.
      • -out server.CA.csr - The file name of the signing request you are creating
      • sha256 - The encryption algorithm to use for signing requests (If you don't know what this is, do not change this. You should only change this if you know what you are doing)
    Advertisement
    • Country Name (2 letter code) [AU]: US
    • State or Province Name (full name) [Some-State]: CA
    • Locality Name (e.g., city) []: Silicon Valley
    • Organization Name (e.g., company) [Internet Widgits Pty Ltd]: wikiHow, Inc.
    • Organizational Unit Name (eg, section) []:
    • Common Name (e.g., server FQDN or YOUR name) []: CA Certificate for wikiHow.com
    • Email Address []: certs@wikihow.com
    • openssl ca -extensions v3_ca -out server.CA-signed.crt -keyfile server.CA.key -verbose -selfsign -md sha256 -enddate 330630235959Z -infiles server.CA.csr
    • The options explained:
      • ca - Loads the Certificate Authority module
      • -extension v3_ca - Loads the v3_ca extension, a must-have for use on modern browsers
      • -out server.CA-signed.crt - The name of your new signed key
      • -keyfile server.CA.key - The private key you created in step 1
      • -verbose - shows you details about the request as it is being created (optional)
      • -selfsign - Tells openssl that you are using the same key to sign the request
      • -md sha256 - The encryption algorithm to use for the message. (If you don't know what this is, do not change this. You should only change this if you know what you are doing)
      • -enddate 330630235959Z - The end date of the certificate. The notation is YYMMDDHHMMSSZ where Z is in GMT, sometimes known as "Zulu" time.
      • -infiles server.CA.csr - the signing request file that you created the step above.
    • openssl x509 -noout -text -in server.CA.crt
    • The options explained:
      • x509 - Loads the x509 module to inspect signed certificates.
      • -noout - Do not output the encoded text
      • -text - output the information on the screen
      • -in server.CA.crt - Load the signed certificate
    • The server.CA.crt file can be distributed to anyone who will use your website or use certificates that you plan on signing.
  1. Advertisement
Part 2
Part 2 of 4:

Creating SSL Certificates for a Service, such as Apache

PDF download Download Article
    • openssl genrsa -des3 -out server.apache.key 2048
    • The options explained:
      • openssl - the name of the software
      • genrsa - creates a new private key
      • -des3 - encrypt the key using the DES cipher
      • -out server.apache.key - the name of your new key
      • 2048 - the length, in bits, of the private key (Please see the warnings)
    • Store this certificate and the password in a safe place.
    • openssl req -verbose -new -key server.apache.key -out server.apache.csr -sha256
    • The options explained:
      • req - Creates a Signing Request
      • -verbose - shows you details about the request as it is being created (optional)
      • -new - creates a new request
      • -key server.apache.key - The private key you just created above.
      • -out server.apache.csr - The file name of the signing request you are creating
      • sha256 - The encryption algorithm to use for signing requests (If you don't know what this is, do not change this. You should only change this if you know what you are doing)
    • openssl ca -out server.apache.pem -keyfile server.CA.key -infiles server.apache.csr
    • The options explained:
      • ca - Loads the Certificate Authority module
      • -out server.apache.pem - The file name the signed certificate
      • -keyfile server.CA.key - The file name of the CA certificate that will be signing the request
      • -infiles server.apache.csr - The file name of the Certificate Signing Request
    • Country Name (2 letter code) [AU]: US
    • State or Province Name (full name) [Some-State]: CA
    • Locality Name (e.g., city) []: Silicon Valley
    • Organization Name (e.g., company) [Internet Widgits Pty Ltd]: wikiHow, Inc.
    • Organizational Unit Name (eg, section) []:
    • Common Name (e.g., server FQDN or YOUR name) []: Apache SSL Certificate for wikiHow.com
    • Email Address []: certs@wikihow.com
  1. Create a private key without a password to prevent Apache from prompting you for a password:
    • openssl rsa -in server.apache.key -out server.apache.unsecured.key
    • The options explained:
      • rsa - Runs the RSA encryption program
      • -in server.apache.key - The key name that you want to convert.
      • -out server.apache.unsecured.key - The file name of the new unsecured key
  2. Use the resulting server.apache.pem file along with the private key you generated in step 1 to configure your apache2.conf file.
  3. Advertisement
Part 3
Part 3 of 4:

Creating a User Certificate for Authentication

PDF download Download Article
    • openssl pkcs12 -export -in user_cert.pem -inkey user_private_key.pem -out user_cert.p12
  1. Advertisement
Part 4
Part 4 of 4:

Creating S/MIME E-mail Certificates

PDF download Download Article
    • openssl genrsa -des3 -out private_email.key 2048
    • openssl req -new -key private_email.key -out private_email.csr
    • openssl ca -out private_email.pem -keyfile server.CA.key -infiles private_email.csr
    • openssl pkcs12 -export -in private_email.crt -inkey private_email.key -out private_email.p12
    • openssl pkcs12 -export -out public_cert.p12 -in private_email.pem -clcerts -nokeys -name "WikiHow's Public Key"
  1. Advertisement

Community Q&A

Search
Add New Question
  • Question
    How would I complete this on Windows?
    Community Answer
    You need open SSL for Windows. There are various projects out there on the web offering such binaries and installers. Please Google it!
  • Question
    Once I have set up my own CA, how do I add it to browsers, Java, and other apps, so that they will then trust any server or app certs I signed with my CA cert instead of giving errors?
    Community Answer
    You will need to get together with browser vendors and have them install your certificate on devices. Depending on the vendor, this could require a large sum of money.
Ask a Question
      Advertisement

      Tips

      • You can vary the contents of PEM keys by issuing the following command: openssl x509 -noout -text -in certificate.pem
      Submit a Tip
      All tip submissions are carefully reviewed before being published
      Name
      Please provide your name and last initial
      Thanks for submitting a tip for review!
      Advertisement

      Warnings

      • 1024-bit keys are considered to be obsolete. 2048-bit keys are considered to be secure for user certificates until 2030, but is considered insufficient for root certificates. Consider these vulnerabilities as you create your certificates.
      • By default, most modern browsers will show an "Untrusted certificate" warning when someone visits your site. There has been much debate over the wording of these warnings, as non-technical users can be caught off-guard. It's often best to use a major authority so users do not get the warnings.
      Advertisement

      Things You'll Need

      • Linux distribution with OpenSSL installed
      • Terminal access

      References

      About This Article

      Thanks to all authors for creating a page that has been read 169,610 times.

      Is this article up to date?

      Advertisement