Skip to content

Self-signed Certificate Authority (CA)

A Self-signed certificate authority (CA) refers to the practice of manually creating a Root Certificate Authority using cryptographic tools like OpenSSL. This allows a developer to act as their own issuer for digital certificates, typically for local development or testing environments.^[600-developer-tools-security-ca.md]

Generating the CA Private Key

The first step in establishing a self-signed CA is generating a root key pair. This is typically an RSA 2048-bit key.^[600-developer-tools-security-ca.md]

Using the OpenSSL command-line tool, this key can be generated with or without password protection:

  • Encrypted key (-des3): Requires a passphrase (e.g., 123456) to use the key.^[600-developer-tools-security-ca.md]
    • Command: openssl genrsa -des3 -out ca-des3.key 2048^[600-developer-tools-security-ca.md]
  • Unencrypted key: Allows usage without a password.^[600-developer-tools-security-ca.md]
    • Command: openssl genrsa -out ca.key 2048^[600-developer-tools-security-ca.md]

Creating the Root Certificate

Once the private key exists, it is used to generate a self-signed X.509 root certificate (CRT/CER).^[600-developer-tools-security-ca.md]

The command utilizes the -x509 flag to output a Self-Signed Certificate rather than a certificate request.^[600-developer-tools-security-ca.md]

  • Command: openssl req -x509 -key ca-des3.key -out ca.crt -days 3650^[600-developer-tools-security-ca.md]
  • Validity: The example sets the validity period to 3650 days (10 years).^[600-developer-tools-security-ca.md]
  • Attributes: During generation, the operator must input a Distinguished Name (DN), which includes attributes such as Country, State, Organization, and Common Name.^[600-developer-tools-security-ca.md]

The resulting certificate contains metadata identifying the CA, such as the Issuer, Subject, and validity period.^[600-developer-tools-security-ca.md] The file output is typically in PEM format (Base64 encoded), beginning with -----BEGIN CERTIFICATE-----.^[600-developer-tools-security-ca.md]

Configuration and Domain Mapping

For a self-signed CA to function within a local environment, specific configuration files and system mappings are required.

  • Hosts File: Domain resolution must be manually configured, often by adding an entry to the /etc/hosts file mapping a domain (e.g., <your-domain>) to 127.0.0.1.^[600-developer-tools-security-ca.md]
  • OpenSSL Configuration (cnf): Configuration files like caconfig.cnf or exampleserver.cnf must be updated to reflect the target domain. Specifically, the subjectAltName in caconfig.cnf and the commonName in exampleserver.cnf should be set to the intended domain name.^[600-developer-tools-security-ca.md]

Issuing Certificates

The primary purpose of the self-signed CA root is to sign other certificates. The CA uses its private key to sign Certificate Signing Requests (CSR) for servers or clients.^[600-developer-tools-security-ca.md]

  • Command: openssl ca -in tempreq.pem -out server_crt.pem^[600-developer-tools-security-ca.md]

Viewing Certificate Details

To verify the contents of a generated certificate, the openssl x509 command is used with the -text and -noout flags.^[600-developer-tools-security-ca.md]

  • Command: openssl x509 -in ca.crt -text -noout^[600-developer-tools-security-ca.md]

This command outputs the certificate's Data structure, including: * Version and Serial Number * Issuer and Subject information * Validity dates * Public Key details * Extensions: Such as X509v3 Basic Constraints: CA:TRUE, which confirms the certificate's authority status.^[600-developer-tools-security-ca.md]

  • [[Public-key cryptography]]
  • [[X.509]]
  • OpenSSL
  • [[Domain Name System (DNS)]]

Sources

  • 600-developer-tools-security-ca.md