The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.
Operating a CA with openssl ca
Create a self-signed certificate using the openssl req command.
openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem
Create the following file structure to support your CA:
├── demoCA
│ ├── cacert.pem
│ ├── index.txt.attr
│ ├── newcerts
│ ├── private
│ │ └── cakey.pem
│ └── serial
Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is /usr/lib/ssl/openssl.cnf
. Make sure the key file is cakey.pem
and the cert file is cacert.pem
, else openssl won’t be able to find it. If you run across Can't open ./demoCA/cacert.pem for reading, No such file or directory
, unable to load CA private key
, or unable to load certificate
you likely have the wrong directory structure or the wrong file names.
The CA certificate and CSRs must share the same organizationName, else you will receive the The organizationName field is different between
error message.
Sign certificate with ca openssl
Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:
openssl ca -in csr.pem -out newcert.pem
The command used X509v3 extensions by default.
You can sign multiple requests at once using the -infiles
flag:
openssl ca -infiles req1.pem req2.pem req3.pem
The subject of each certificate is stored in index.txt
and cannot be duplicated if the index.txt.attr contains unique_subject = yes
.
In addition, the number in the serial file is incremented as well to avoid a serial number collision.
Generate a CRL (Certificate Revocation List) with openssl ca
First, make sure you have created the demoCA/crlnumber
file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the error while loading CRL number
error.
To generate the CRL with openssl ca, run the following command:
openssl ca -gencrl -out crl.pem
Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.
If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!
If I want to “renew” the root CA, what is the best way to do it?
I have an Internal CA setup in Ubuntu and the root CA is expiring soon, so I need to extend another 3 years .
To renew the root CA certificate, run the following command with the existing root CA private key.
openssl req -new -key root.key -out newcsr.csr
Then sign the generated csr with the same private key. Note that days=3650 (10 years), to follow best practice for “offline” root CA private keys. If you cannot take the root offline, then a shorter validity period would be recommended.
openssl x509 -req -days 3650 -in newcsr.csr -signkey root.key -out newroot.pem
As always, make sure to test this before a production deploy/change.
Thank you for the quick response.
Does the renewed root certificate also need to be named, “cacert.pem”? I tried using a different name and it didn’t work.
And yes, the root CA private keys are offline.
I’m unsure of how you’re using the root CA certificate. If it’s being installed in a truststore (java keystore, OS truststore, etc), the name doesn’t matter. If some software is looking for the file itself, then the file name would matter.
Great documentation! I wonder whether the directory structure should be created first, then execute this command subsequently:
openssl req -x509 -newkey rsa:4096 -keyout demoCA\private\cakey.pem -out demoCA\cacert.pem