Creating a CA Key and Certificate

The first step to establishing a certificate authority (CA) is to generate an RSA private key.

Warning: This key should be kept very secret, as any entity with access to this key can generate false certificates that would certify unknown hosts as trusted. It is vitally important to protect the integrity of your certificate authority.

  1. Generate the CA key by typing the command: 

    OPENSSL_DIR\bin\openssl genrsa -out ca.key 1024

    Your initial CA key is generated and placed in the file ca.key.

  2. Generate the Certificate Signing Request (CSR) by typing the command: 

    OPENSSL_DIR\bin\openssl req –new –key ca.key -out ca.csr

    This command prompts you for the information to be contained in the certificate. The prompts should be answered as:

    Prompt Response

    Country Name:

    Your two-letter country abbreviation

    State or Province Name:

    Your full state or province name

    Locality Name:

    Your city or town or suburb name

    Organization Name:

    The name of your organization or company

    Organizational Unit Name:

    The organizational name should be a representation of your CA’s name

    Common Name:

    Either be a person responsible for the operation of the CA or a generic name representing the CA itself

    Email Address:

    An e-mail address that can be used to for concerns about certificates to someone responsible for the CA

    A challenge password []:

    [enter]

    An optional company name []:

    [enter]

     

    Example:
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Iowa
    Locality Name (e.g., city) []:Urbandale
    Organization Name (e.g., company) [Internet Widgits Pty Ltd]:FIREHOUSE Software Web
    Organizational Unit Name (e.g., section) []:MyCompany
    Common Name (e.g., YOUR name) []:MyUnit
    Email Address []:hostmaster@www.firehousesoftware.com
    Please enter the following extra attributes to be sent with your certificate request:
    A challenge password []:[enter]
    An optional company name []:[enter]

  3. Establish the CA certificate by creating a file named ca.cfg and adding the following information to it.

    extensions = x509v3
    [ x509v3 ]
    subjectAltName = email:copy
    basicConstraints = CA:true,pathlen:0
    nsComment = “your company site CA”
    nsCertType = sslCA

  4. Sign your CA certificate by typing the commands: 

    OPENSSL_DIR\bin\openssl x509 –req –extfile ca.cfg –days 1825 –signkey ca.key –in ca.csr –out ca.crt

    These commands create the certificate file, ca.crt, which is the certificate that needs to be imported into the certificate store on each client device. It is also needed to create a configuration file for signing server keys.

  5. Create a file named server.cfg and adding the following information to it.

    extensions = x509v3
    [ x509v3 ]
    subjectAltName = email:copy
    nsComment = “Certificate signed by your company CA”
    nsCertType = server

  6. Create a file that stores the serial numbers of certificates signed by this CA by typing the command: 

    echo 01 > ca.serial