How to Build a Private CA and Manage Certificates with OpenSSL

CA and PKI Introduction

CA (Certificate Authority) is an organization that issues, revokes, and renews digital certificates. PKI (Public Key Infrastructure) is a broader framework that includes the CA as a core component.

Building a Private CA

1. Install OpenSSL

Most Linux distributions include OpenSSL by default; otherwise install it via the package manager or from source.

2. Create Directory Structure

Create a working directory and sub‑directories to organize CA files.

mkdir /etc/pki/CA

mkdir /etc/pki/CA/{certs,crl,newcerts,private}

touch /etc/pki/CA/index.txt

echo 01 > /etc/pki/CA/serial

Directory description:

certs – stores certificates issued by the CA.

crl – stores the certificate revocation list.

newcerts – holds newly created certificates.

private – contains the CA private key.

File description:

index.txt – database tracking issued certificates; must be empty for a new CA.

serial – stores the next certificate serial number; initialise it.

3. Edit Configuration File

The OpenSSL configuration file is read only for certificate‑related operations. Editing it allows you to set default values and paths, reducing the amount of command‑line input required. sudo openssl version -d Backup the original file and create a new one:

sudo mv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf-bak

sudo vim /etc/ssl/openssl.cnf

Key sections to add:

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.key
serial = $dir/serial
default_days = 3650
default_md = sha256
preserve = no

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
C = CN
ST = BeiJin
L = BeiJin
O = My Company
OU = My Organizational Unit
emailAddress = [email protected]
CN = mycompany.com

4. Generate Self‑Signed Root Certificate

Generate a private key for the CA:

openssl genpkey -algorithm RSA -out /etc/pki/CA/private/cakey.key

Create the root certificate using the key and the configuration paths defined earlier:

openssl req -key /etc/pki/CA/private/cakey.key -new -x509 -days 7300 -out /etc/pki/CA/certs/cacert.pem

At this point the private CA is ready.

CA Issuing Certificates

1. User Generates a CSR

The client creates a Certificate Signing Request (CSR) containing the public key and identity information.

mkdir tom
cd tom
sudo openssl req -new -keyout tom.key -out tom_req.csr -nodes

2. CA Receives the CSR

The CSR can be transferred to the CA via file copy or remote transfer. Create a directory on the CA to store incoming CSRs:

mkdir /etc/pki/CA/csr

3. CA Verifies Identity

The CA validates the requester’s identity (e.g., by phone or other out‑of‑band methods).

4. CA Signs the Certificate

After verification, the CA signs the CSR, binding the requester’s public key to the identity.

sudo openssl ca -batch -in /etc/pki/CA/csr/tom_req.csr -out /etc/pki/CA/certs/tom.pem

The signed certificate can be returned to the client for use together with its private key.

Special CA Files

serial

Contains the next serial number; it increments with each issued certificate.

cat serial

index.txt

Database tracking all certificates issued by the CA. Each line records status (V‑valid, R‑revoked), expiration date, serial number, and subject DN.

V	331028032625Z		01	unknown	/C=CN/ST=BeiJin/O=My Company/OU=My Organizational Unit/CN=mycompany.com/[email protected]

index.txt.attr

Controls attributes of the index database; unique_subject = yes enforces unique subjects.

cat index.txt.attr
unique_subject = yes

index.txt.old & serial.old

Backup files storing the previous state of the database and serial number.

Revoking Certificates

1. Revoke a Certificate

openssl ca -revoke /path/to/certificate.pem

2. Generate a New CRL

After revocation, generate a new Certificate Revocation List so clients can check revoked certificates.

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem

Common File Extensions

.key – private key files.

.pem – PEM‑encoded certificates or keys.

.csr – certificate signing request files.

.crl – certificate revocation list files.

Certificates may also use .crt or .cer extensions.

Viewing Certificate Contents

To inspect a certificate’s details, run: openssl x509 -in /path/file_name -noout -text This displays the subject, issuer, validity period, and other attributes of an X.509 certificate.

Related Processes

CA Certificate Issuing Flow

1. User creates a CSR containing the public key and identity. 2. CA hashes the CSR content. 3. CA encrypts the hash with its private key to create a signature. 4. The signed data, public key, and identity form the final certificate.

Certificate Verification Flow

1. Client receives the server’s certificate. 2. Client extracts the signature and decrypts it with the CA’s public key to obtain the original hash. 3. Client hashes the received certificate data. 4. If the two hashes match, the certificate is valid.

Data Communication Flow (HTTPS)

Client generates a hash of the data, encrypts the data with a symmetric key, encrypts the symmetric key with the server’s public key, and sends both to the server. The server decrypts the symmetric key with its private key, decrypts the data, hashes it again, and compares the hashes to ensure integrity.