How To Create Your Own Certification Authority (CA)
Create the CA's certificiate.
Create a file with the CA's certificate configuration (see req(1) configuration format)
[req] # Request section default_bits = 4096 # Private key length default_keyfile = ca.key # Destination of private key encrypt_key = no # Do not use password for cyphering private key default_md = sha256 # Sign using digest x509_extensions = v3_req # Section with extensions prompt = no # Do not ask for distinguished name attributes, use those in this file utf8 = yes # Enable use of extended character set distinguished_name = req_distinguished_name # Distinguished name section [req_distinguished_name] # Distinguished name section C = MX # Country code ST = Estado de México # State L = MEX # Locality or city O = WAKE # Organization OU = ITSEC # Organization department or unit CN = WAKE CA V1 # Common name emailAddress = email@example.com # Subject's email [v3_req] # Extension section basicConstraints = CA:TRUE # Certificate will belong to a Certification Authority keyUsage = digitalSignature,nonRepudiation,keyCertSign # Intended uses of key # subjectAltName is optional for a CA, along with its alt_names section subjectAltName = @alt_names # Section for Subject Alternative Names [alt_names] # Subject Alternative Names section DNS.1 = ca.wake.mx
- Create the private key and the actual certificate.
openssl req -x509 -config ca.conf -days 3650 > ca.crt
- Optionally verify the created certificate details.
openssl x509 -noout -text -in ca.crt
- Add new certificate
ca.crtto OS's trusted roots. In macOS:
- Open Keychain Access.
- Choose from Keychains: login (for user trusted certs) or System Roots (for system-wide trusted certs).
- Choose Certificates from the Category section.
- Drag and drop
ca.crtinto the listing.
- Input admin credentials when prompted.
- Right-click over new certificate.
- Click Get Info.
- Unfold Trust section.
- Choose Always Trust from the When using this certificate: dropdown menu.
- Close window and enter admin credentials as prompted.
- Quit Keychain Access.
Use the new CA's certificate to sign a Certificate Signing Request (CSR). In the end, this is what CAs do.
Create a configuration file
client.conffor a new CSR:
[ req ] # Request section default_bits = 4096 # Private key length default_keyfile = client.key # Private key destination file encrypt_key = no # Should use passphrase for cyphering private key default_md = sha256 # Digest to use for requested certificate req_extensions = req_ext # Request extensions area prompt = no # Should prompt for distinguished name attributes utf8 = yes # Should allow special characters distinguished_name = req_distinguished_name # Distinguished name section [ req_distinguished_name ] # Distinguished name section C = MX # Country code ST = CDMX # State L = MEX # Locality or city O = JYSA # Organization OU = ITSEC # Organization's department or unit CN = JYSA con tílde # Common name emailAddress = firstname.lastname@example.org # Subject's email [ req_ext ] # Extensions section subjectAltName = @alt_names # Subject alternative names section [alt_names] # Subject alternative names section DNS.1 = jysa.wake.services # FQDN DNS.2 = *.jysa.wake.mx # Wildcard domain
- Create the actual CSR.
openssl req -new -config client.conf > client.csr
- Create and sign the client's certificate, using its CSR, with the CA's certificate.
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -days 365 -CAcreateserial -SHA256 -extfile client.conf -extensions req_ext > client.crt
- Google Chrome will not trust certificates without the Subject Alternative Name section.
- Google Chrome will not trust certificates signed with SHA-1 algorithm. Use SHA256.