Skip to main content

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it.
So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar.

Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA.

If you actually do need to set up you own CA, here is one way to do it

Procedure to set up your own local CA

The common name for the CA cert must NOT be the same as a domain name or anything else you will need a cert for, I used   "myLocalCA"  for my cn in this example.
There is more than one way to do this, i recommend using a sequence file for serials - so this should work if you follow this setup.
I recommend using a local user which is not used for anything else - the below assumes you run as that user

  • Create a directly, set very private permissions, and go to it
    • mkdir ~/myLocalCA
    • chmod 0700 ~/myLocalCA
    • cd ~/myLocalCA
  • Create a protected CA key:  
    • openssl genrsa -des3 -out myLocalCA.key 4096
  • Create the CA cert valid for 10 years:
    • openssl req -new -x509 -days 3650 -key myLocalCA.key -out myLocalCA.cert
    • Enter Country, State, City, Org, dept
    • Enter common name as the permenanent name of your CA (example: myLocalCA)
  • Use a Sequence file for the CA certificates serial number - it is best to just let openssl create it when you issue your first cert, just make sure to always reference the same file. (Each signed cert must have a Unique-to-the-CA serial).
    • When you sign, use these options: 
      • -CAcreateserial -CAserial myLocalCA.serial.sequence

Procedure to process (Sign) CSR

To do this you first need a CSR, chances are you be making them yourself, but you may also get them from a device or person or similar. For information on how to create a Certificate Signing request, see

Log in as your CA processor user (Assuming you did as the example above)

  • cd ~/myLocalCA
  • openssl x509 -req -days 720 -in /path/to/myhost.csr  -out /path/to/myhost.cert -CA myLocalCA.cert -CAkey myLocalCA.key -CAcreateserial -CAserial myLocalCA.serial.sequence
That is it - then just send or install the cert file where it is needed.

Trusting the CA

In order for browsers and things to trust certificates issued by this CA, you need to install the root certificate, the myLocalCA.cert file in a local CA trust repository. (Never share the private key, only the certificate!)

WARNING: You should NOT do this in any home, business, or production network or systems. Once you do this, any cert signed with this key will be trusted, make sure you keep your CA privates private and secure, and do not sign requests you do not know and trust completely.

On Ubuntu you can copy the cert file to /usr/local/share/ca-certificates/myLocalCA/myLocalCA.cert, make sure it has 0644 permissions, then do sudo update-ca-certificate

On Windows, right click the file and select install, choose the Trust CA repository.


Popular posts from this blog

Introducing Sau MGM - Small to medium Business Information technology management

I am (slowly) working on a project called SauMGM - a small/medium business IT-Department administration utility, database and more.
I will also use this blog to post helpful hints and tricks, some logs of things I have been doing, as well as a place to just store things for myself, such as remembering how to do certain things. I ofetn find myself not remembering the exact syntax on things i do occasionally, like openssl specifics.
I have been doing systems and network administration since 1999, and I am still very much hands on in all kinds of projects and technologies.

Home made SAN Migration

The topic sounds more elaborate than it is - alternative title could be "Hackjob SAN volume backup and restore".
The SetupIn a legacy-style SAN and Compute setup, I have an EMC Unity 450F box deployed with Fibre Channel (FC) to a Cisco UCS (Unified Compute System). I am booting the UCS blades off the SAN, running vmware with Block/LUN DataStores, and one blade running Windows.
I also have a Dell R740 server in the mix, with a Qlogic HBA as well as onboard storage.
The Situation Not in production yet, but we had spun up a few VMs, and all our blades had been installed, esx and vcenter running, a few VM's, and including the physical Windows blade, and the R740.

Then we discovered that the Unity had no SFP+ ports in it, and I need to do replication - swearing my vendor up and down, I call EMC, and they are sending out NIC modules and guy to install it. BUT, because we have to remove a module to insert a new one, the whole SAN box has to be reset to Factory setting (!!!). My…

New Lines - Windows/Unix/Linux/MacOS - viM

If you deal with scripts and other text files and move between platforms you probably discovered this "issue".
Only the founding developers can explain why they chose what they did - googling about will show you a couple of different explanations - whatever the reasons, here are the differences and how to convert.
The formats The Characters in use (referenced in OS info below)LF Usually referred to as LF  or Line feedAscii code decimal 10Hex: A or 0xAOctal: 12 or O12Typical Escaped character in many shells and languages: \nCRUsually referred to as CR or Carriage ReturnAscii code decimal 13Hex D or 0xDTypical Escaped character in many shells and languages: \r Unix, Linux, and Modern MacOS - The POSIX standard Each Line ends with a single character:  LF
Most programming languages will understand/interpret this format properly.
Simple Windows programs, like the built in Notepad will not show this properly.

Windows (and DOS) Each line ends with two consecutive characters in this …