How to Build a Private CA with OpenSSL: Step‑by‑Step Guide

Preface

With the rapid growth of the Internet, network communication has become the main way to transmit information, yet most data is still sent in plaintext. Without encryption mechanisms, sensitive information can be leaked, causing severe losses. OpenSSL fills this gap as a powerful open‑source suite that includes libcrypto (cryptographic library), libssl (SSL protocol implementation), and the openssl command‑line tool. It is widely used for data‑in‑transit encryption and can also build a private CA within a LAN.

Data Encryption and Decryption Process

Encryption must achieve confidentiality, integrity, authentication, and key exchange.

Encryption types and functions:

One‑way encryption: generate data fingerprint for integrity verification

Symmetric encryption: protect data confidentiality

Public‑key encryption: use the peer’s public key for key exchange

Private‑key encryption: use own private key for authentication

Because public keys transmitted over the network cannot be trusted, a trusted third‑party (CA) is required.

CA Workflow

# A and B each decrypt the other's certificate with the CA’s public key to complete authentication

Since commercial CAs are expensive, enterprises can build their own private CA within a LAN when external communication is not required.

Implementing the CA

OpenSSL can build a private CA suitable for small‑to‑medium enterprises; larger organizations may consider OpenCA.

Establish CA Server – Generate Keys

Command details:

umask 077   # ensure key files are not readable/writable by others

-out /path/to/somefile   # specify output location for the key

2048   # key length, can be customized

# openssl rsa -in private/cakey.pem -pubout -text   # extract public key

Self‑Signed Certificate

Command details:

req -new   # generate certificate signing request

-key /path/to/keyfile   # specify private key file

-out /path/to/somefile   # specify output certificate file

-x509   # generate self‑signed certificate

-days n   # validity period in days

# Country Name (2 letter code) [XX]: CN

# State or Province Name (full name) []: Shandong

# Locality Name (eg, city) [Default City]: Qingdao

# Organization Name (eg, company) [Default Company Ltd]: Scholar

# Organizational Unit Name (eg, section) []: Tech

# Common Name (eg, your name or your server's hostname) []: ca.scholar.com

# Email Address []: [email protected]

These defaults can be changed by editing /etc/pki/tls/openssl.cnf.

Initialize Working Environment

index.txt   # certificate database

serial   # file storing the next certificate serial number

echo 01 > serial   # set initial serial number

Client Requests Certificate

Generate client key and CSR, then send the request to the CA.

Generate CSR:

# A challenge password []:   # optional password to protect the request

# An optional company name []:

Place the CSR in a directory on the CA server.

CA signs the certificate and returns it to the client.

Client receives the signed certificate.

Certificate Revocation

Client obtains the certificate serial number.

CA verifies the serial and subject against index.txt, then revokes the certificate.

CA generates a revocation entry and updates the CRL.

CA updates the certificate revocation list.

# If needed, view the CRL file:

openssl crl -in /path/to/crlfile.crl -noout -text

The certificate is now revoked and can be re‑issued.

The end

This concludes the step‑by‑step process of building a private CA with OpenSSL. Test the results yourself; this guide is for personal learning and may contain omissions.