2018 February Release

Create a CA via OpenSSLPermanent link for this heading

Preparation Permanent link for this heading

Create a directory for your CA and configure it in your openssl.cnf (Parameter “dir”).

In this Case “/etc/pki/CA“ will be used.

Create Private-keyPermanent link for this heading

mkdir -p /etc/pki/CA/private

cd /etc/pki/CA/

openssl genrsa -des3 -out private/cakey.pem 2048

Create CSRPermanent link for this heading

openssl req -new -key private/cakey.pem \

                 -out careq.pem

Fill out the fields for the DN (Distinguished Name) like the country name, the name of your organization and the common name of your certificate authority.

Create CertificatePermanent link for this heading

openssl x509 -days 1095 -signkey private/cakey.pem \

                        -CAserial serial \

                        -set_serial 00 \

                        -in careq.pem -req \

                        -out cacert.pem

Convert CertificatePermanent link for this heading

openssl x509 -in cacert.pem \

             -out cacert.cer \

             -outform DER

Create CA Serial FilePermanent link for this heading

echo -n '00' > serial

Add CA to index.txtPermanent link for this heading

The index.txt is a tab separated file with the following columns:

  • State: “V” for Valid, “E” for Expired and “R” for revoked
  • Enddate: in the format YYMMDDHHmmssZ (the “Z” stands for Zulu/GMT)
  • Date of Revocation: same format as “Enddate”
  • Serial: serial of the certificate
  • Path to Certificate: can also be “unknown”
  • Subject: subject of the certificate

You can parse the values from the certificate:

openssl x509 -in cacert.pem -serial -enddate -subject

Create an Entry for the CA-CertificatePermanent link for this heading

echo -e "V\t120522135101Z\t\t00\tcacert.pem\t/C=AT/ST=Upper Austria/L=Linz/O=MyCompany/CN=MY Companys CA" > index.txt