Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

by Leave a Comment

The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.

Operating a CA with openssl ca

Create a self-signed certificate using the openssl req command.

openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem

Create the following file structure to support your CA:

├── demoCA
│   ├── cacert.pem
│   ├── index.txt.attr
│   ├── newcerts
│   ├── private
│   │   └── cakey.pem
│   └── serial

Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is /usr/lib/ssl/openssl.cnf. Make sure the key file is cakey.pem and the cert file is cacert.pem, else openssl won’t be able to find it. If you run across Can't open ./demoCA/cacert.pem for reading, No such file or directory, unable to load CA private key, or unable to load certificate you likely have the wrong directory structure or the wrong file names.

The CA certificate and CSRs must share the same organizationName, else you will receive the The organizationName field is different between error message.

Sign certificate with ca openssl

Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:

 openssl ca -in csr.pem -out newcert.pem

The command used X509v3 extensions by default.

You can sign multiple requests at once using the -infiles flag:

openssl ca -infiles req1.pem req2.pem req3.pem

The subject of each certificate is stored in index.txt and cannot be duplicated if the index.txt.attr contains unique_subject = yes.

In addition, the number in the serial file is incremented as well to avoid a serial number collision.

Generate a CRL (Certificate Revocation List) with openssl ca

First, make sure you have created the demoCA/crlnumber file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the error while loading CRL number error.

To generate the CRL with openssl ca, run the following command:

openssl ca -gencrl -out crl.pem

Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.

If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!

Read more of our content.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *