OpenSSL self-signed CA certificate generation¶

OpenSSL self-signed CA certificate generation refers to the process of creating a private Certificate Authority (CA) key and a self-signed root certificate using the OpenSSL command-line tool. This allows for the issuance of local TLS/SSL certificates for development or internal networks, often utilized for setting up [[HTTPS]] configurations.^[600-developer__tools__security__CA.md]

Generating the CA Private Key¶

The first step in establishing a CA is generating the private key. This key acts as the identity for the Certificate Authority. You may choose to protect this key with a password or leave it unprotected.

Encrypted Key (DES3)¶

To generate a key encrypted with the DES3 algorithm (which requires a password), use the genrsa command with the -des3 flag^[600-developer__tools__security__CA.md]. You will be prompted to enter a passphrase.

openssl genrsa -des3 -out ca-des3.key 2048

Unencrypted Key¶

For automation or ease of use in non-production environments, you can generate a key without a password using the same command without the encryption flag^[600-developer__tools__security__CA.md].

openssl genrsa -out ca.key 2048

Creating the Self-Signed Certificate¶

Once the private key is generated, it is used to create the self-signed X.509 certificate (.crt or .cer). This certificate serves as the root certificate for your internal CA^[600-developer__tools__security__CA.md].

The command below creates a certificate valid for 3650 days (10 years)^[600-developer__tools__security__CA.md]:

openssl req -x509 -key ca-des3.key -out ca.crt -days 3650

During this process, openssl prompts for Distinguished Name (DN) information to be included in the certificate^[600-developer__tools__security__CA.md]. Common fields include: * Country Name (e.g., TW) * State or Province Name (e.g., Taiwan) * Locality Name (e.g., taipei) * Organization Name (e.g., tommy-dev) * Common Name (CN): This is often the domain name or a specific identifier (e.g., *.yudady.tk)^[600-developer__tools__security__CA.md].

Verifying Certificate Details¶

To view the details of a generated certificate and ensure its validity, use the x509 command with the -text and -noout flags^[600-developer__tools__security__CA.md]:

openssl x509 -in ca.crt -text -noout

This output displays the Version, Serial Number, Signature Algorithm, Issuer, Validity period, Subject, and Public Key information^[600-developer__tools__security__CA.md]. It also confirms X509v3 Basic Constraints: CA:TRUE, verifying that the certificate is indeed a Certificate Authority^[600-developer__tools__security__CA.md].

Configuration and Domain Mapping¶

When utilizing self-signed certificates for web servers (e.g., for HTTPS), the domain name in the certificate must match the address used by clients.

Hosts File¶

To test locally, the system's hosts file can be modified to map the target domain to the local loopback address^[600-developer__tools__security__CA.md].

127.0.0.1 <你的域名>

OpenSSL Configuration¶

For more advanced setups, configuration files (often ending in .cnf) can be created or modified to define properties like the subjectAltName or commonName statically^[600-developer__tools__security__CA.md].

Related Concepts¶

• [[HTTPS]]
• [[流程化筆記]]: Useful for documenting the specific steps and parameters used in your organization's certificate generation workflow.

Sources¶

^[600-developer__tools__security__CA.md]