• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

openssl ca

June 8, 2020 by Mister PKI Leave a Comment

The openssl ca command and utility is a lightweight piece of software that can be used to perform minimal CA (Certification Authority) functions. The command can sign and issue new certificates including self-signed Root CA certificates, generate CRLs (Certificate Revocation Lists), and other CA things.

Operating a CA with openssl ca

Create a self-signed certificate using the openssl req command.

openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca-cert.pem

Create the following file structure to support your CA:

├── demoCA
│   ├── cacert.pem
│   ├── index.txt.attr
│   ├── newcerts
│   ├── private
│   │   └── cakey.pem
│   └── serial

Note that the openssl.cnf configuration file expects you to be in the same directory as demoCA. On Linux, that file is /usr/lib/ssl/openssl.cnf. Make sure the key file is cakey.pem and the cert file is cacert.pem, else openssl won’t be able to find it. If you run across Can't open ./demoCA/cacert.pem for reading, No such file or directory, unable to load CA private key, or unable to load certificate you likely have the wrong directory structure or the wrong file names.

The CA certificate and CSRs must share the same organizationName, else you will receive the The organizationName field is different between error message.

Sign certificate with ca openssl

Use openssl ca to generate and sign a new certificate. To sign a CSR (Certificate Signing Request), run the following command:

 openssl ca -in csr.pem -out newcert.pem

The command used X509v3 extensions by default.

You can sign multiple requests at once using the -infiles flag:

openssl ca -infiles req1.pem req2.pem req3.pem

The subject of each certificate is stored in index.txt and cannot be duplicated if the index.txt.attr contains unique_subject = yes.

In addition, the number in the serial file is incremented as well to avoid a serial number collision.

Generate a CRL (Certificate Revocation List) with openssl ca

First, make sure you have created the demoCA/crlnumber file with a value. If you’re starting with the number 1, it must be a two digit value in the form of 01, else you will receive the error while loading CRL number error.

To generate the CRL with openssl ca, run the following command:

openssl ca -gencrl -out crl.pem

Each time a new CRL is generated, the number provided in the crlnumber file is incremented by 1.

If you would like to see a deeper dive into running your own CA with openssl, let us know in the comments!

Read more of our content.

openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022