• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl ca

June 8, 2020 by Mister PKI 5 Comments

The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.

Operating a CA with openssl ca

Create a self-signed certificate using the openssl req command.

openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem

Create the following file structure to support your CA:

├── demoCA
│   ├── cacert.pem
│   ├── index.txt.attr
│   ├── newcerts
│   ├── private
│   │   └── cakey.pem
│   └── serial

Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is /usr/lib/ssl/openssl.cnf. Make sure the key file is cakey.pem and the cert file is cacert.pem, else openssl won’t be able to find it. If you run across Can't open ./demoCA/cacert.pem for reading, No such file or directory, unable to load CA private key, or unable to load certificate you likely have the wrong directory structure or the wrong file names.

The CA certificate and CSRs must share the same organizationName, else you will receive the The organizationName field is different between error message.

Sign certificate with ca openssl

Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:

 openssl ca -in csr.pem -out newcert.pem

The command used X509v3 extensions by default.

You can sign multiple requests at once using the -infiles flag:

openssl ca -infiles req1.pem req2.pem req3.pem

The subject of each certificate is stored in index.txt and cannot be duplicated if the index.txt.attr contains unique_subject = yes.

In addition, the number in the serial file is incremented as well to avoid a serial number collision.

Generate a CRL (Certificate Revocation List) with openssl ca

First, make sure you have created the demoCA/crlnumber file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the error while loading CRL number error.

To generate the CRL with openssl ca, run the following command:

openssl ca -gencrl -out crl.pem

Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.

If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!

Read more of our content.

openssl

Reader Interactions

Comments

  1. Alex R. says

    November 18, 2020 at 7:49 am

    If I want to “renew” the root CA, what is the best way to do it?
    I have an Internal CA setup in Ubuntu and the root CA is expiring soon, so I need to extend another 3 years .

    Reply
    • Mister PKI says

      November 18, 2020 at 8:26 pm

      To renew the root CA certificate, run the following command with the existing root CA private key.
      openssl req -new -key root.key -out newcsr.csr

      Then sign the generated csr with the same private key. Note that days=3650 (10 years), to follow best practice for “offline” root CA private keys. If you cannot take the root offline, then a shorter validity period would be recommended.
      openssl x509 -req -days 3650 -in newcsr.csr -signkey root.key -out newroot.pem

      As always, make sure to test this before a production deploy/change.

      Reply
      • Alex R says

        November 18, 2020 at 11:02 pm

        Thank you for the quick response.
        Does the renewed root certificate also need to be named, “cacert.pem”? I tried using a different name and it didn’t work.
        And yes, the root CA private keys are offline.

        Reply
        • Mister PKI says

          November 19, 2020 at 1:06 pm

          I’m unsure of how you’re using the root CA certificate. If it’s being installed in a truststore (java keystore, OS truststore, etc), the name doesn’t matter. If some software is looking for the file itself, then the file name would matter.

          Reply
  2. Simon Kurtz says

    December 16, 2021 at 2:58 pm

    Great documentation! I wonder whether the directory structure should be created first, then execute this command subsequently:

    openssl req -x509 -newkey rsa:4096 -keyout demoCA\private\cakey.pem -out demoCA\cacert.pem

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • curl authentication – Certificate, Bearer token, and Basic Auth
  • Docker container keeps restarting
  • Java Invalid Signature File
  • openssl view certificate
  • Convert PEM to other formats

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022