Certificate signing with OpenSSL CA¶

Certificate signing with OpenSSL CA refers to the process of using the OpenSSL command-line tool to act as a Certificate Authority (CA). This involves generating a private key, creating a self-signed root certificate, and then using that CA certificate to sign other Certificate Signing Requests (CSR)^{[600-developer-tools-security-ca.md]}[600-developer-tools-security-ca.md].

Creating the CA Private Key¶

The first step in establishing a CA is generating a private key. This can be done with or without password protection.

• Encrypted Key (DES3): To create a key protected by a password (e.g., 123456), use the -des3 flag^[600-developer-tools-security-ca.md].

  [OpenSSL](<./openssl.md>) genrsa -des3 -out ca-des3.key 2048
  

• Unencrypted Key: For a key without a password, omit the encryption flag^[600-developer-tools-security-ca.md].

  [OpenSSL](<./openssl.md>) genrsa -out ca.key 2048
  

Generating the CA Certificate¶

Once the private key exists, it is used to generate the self-signed X.509 root certificate (ca.crt). This certificate identifies the CA and is valid for a specified period (e.g., 3650 days)^[600-developer-tools-security-ca.md].

During generation, the user must provide Distinguished Name (DN) information such as Country, State, Organization, and Common Name (CN)^[600-developer-tools-security-ca.md].

[OpenSSL](<./openssl.md>) req -x509 -key ca-des3.key -out ca.crt -days 3650

Viewing the Certificate¶

To verify the details of the generated certificate, use the x509 command with the -text and -noout flags^[600-developer-tools-security-ca.md].

[OpenSSL](<./openssl.md>) x509 -in ca.crt -text -noout

The output displays the Version, Serial Number, Signature Algorithm, Issuer, Validity, Subject, and Public Key details^[600-developer-tools-security-ca.md]. In a root CA certificate, the "Issuer" and "Subject" fields are identical, and the X509v3 Basic Constraints will indicate CA:TRUE^[600-developer-tools-security-ca.md].

Signing Server Certificates¶

The primary function of a CA is to sign certificates for other entities. To sign a server certificate (commonly stored in PEM format), the CA processes a Certificate Signing Request (CSR) using its own private key and root certificate^[600-developer-tools-security-ca.md].

The command openssl ca is used for this operation. It takes the input request file and outputs the signed certificate^[600-developer-tools-security-ca.md].

[OpenSSL](<./openssl.md>) ca -in tempreq.pem -out server_crt.pem

Domain and Configuration¶

When setting up HTTPS for a local development environment, configuration files and system hosts must be adjusted to match the domain used in the certificates^[600-developer-tools-security-ca.md].

• Hosts File: Map the domain to the local IP (e.g., 127.0.0.1) in /etc/hosts^[600-developer-tools-security-ca.md].
• OpenSSL Configuration (cnf): Configuration files like caconfig.cnf or exampleserver.cnf should be updated to include the specific domain in the subjectAltName or commonName fields^[600-developer-tools-security-ca.md].

Related Concepts¶

• [[X.509]]
• [[Public key infrastructure]]
• [[HTTPS]]

Sources¶

• 600-developer-tools-security-ca.md