How to Build a Private CA and Manage SSL Certificates with OpenSSL

1. Create a private CA :

Check the OpenSSL configuration file: /etc/pki/tls/openssl.cnf Create required files: touch /etc/pki/CA/index.txt && echo 01 > /etc/pki/CA/serial Generate the CA private key:

(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

Generate a self‑signed CA certificate:

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

2. Issue and revoke certificates :

Generate a server private key on the target host:

(umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

Create a certificate signing request (CSR):

openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

Sign the CSR with the private CA:

openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

View certificate details: openssl x509 -in /path/to/cert_file -noout -text Revoke a certificate by its serial number:

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

then openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem Initialize CRL number (first revocation only): echo 01 > /etc/pki/CA/crlnumber Generate and view the Certificate Revocation List (CRL): openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl and openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text 3. Configure Apache for HTTPS (mod_ssl):

DocumentRoot "/web/pma"
ServerName www.chen.net:443
<Directory "/web/pma">
  AllowOverride All
  Options None
  Require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

4. Test the setup :

OpenSSL client test:

openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem

Curl test:

curl --cacert /etc/pki/CA/cacert.pem https://www.chen.net/

Additional tip: when SSH reports “remote host identification has changed”, delete the offending entry in ~/.ssh/known_hosts and reconnect.