The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.
Operating a CA with openssl ca
Create a self-signed certificate using the openssl req command.
openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem
Create the following file structure to support your CA:
├── demoCA │ ├── cacert.pem │ ├── index.txt.attr │ ├── newcerts │ ├── private │ │ └── cakey.pem │ └── serial
Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is
/usr/lib/ssl/openssl.cnf. Make sure the key file is
cakey.pem and the cert file is
cacert.pem, else openssl won’t be able to find it. If you run across
Can't open ./demoCA/cacert.pem for reading, No such file or directory,
unable to load CA private key, or
unable to load certificate you likely have the wrong directory structure or the wrong file names.
The CA certificate and CSRs must share the same organizationName, else you will receive the
The organizationName field is different between error message.
Sign certificate with ca openssl
Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:
openssl ca -in csr.pem -out newcert.pem
The command used X509v3 extensions by default.
You can sign multiple requests at once using the
openssl ca -infiles req1.pem req2.pem req3.pem
The subject of each certificate is stored in
index.txt and cannot be duplicated if the index.txt.attr contains
unique_subject = yes.
In addition, the number in the serial file is incremented as well to avoid a serial number collision.
Generate a CRL (Certificate Revocation List) with openssl ca
First, make sure you have created the
demoCA/crlnumber file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the
error while loading CRL number error.
To generate the CRL with openssl ca, run the following command:
openssl ca -gencrl -out crl.pem
Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.
If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!