How to Build a Private Certificate Authority (CA) on Linux with OpenSSL

Linux Private CA Setup

A Certificate Authority (CA) issues and manages X.509 certificates within a Public Key Infrastructure (PKI).

1. Install OpenSSL

OpenSSL is typically pre‑installed on most Linux distributions. If missing, install it via the package manager (e.g., apt install openssl or yum install openssl) or compile from source.

2. Create Directory Structure

mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
mkdir -p /etc/pki/CA/csr
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial

certs – stores certificates issued by the CA.

crl – holds the Certificate Revocation List.

newcerts – contains newly created certificates.

private – keeps the CA’s private key.

csr – temporary location for incoming Certificate Signing Requests.

3. Edit OpenSSL Configuration

Backup the default configuration and create a custom openssl.cnf that defines the CA defaults and request parameters.

# Backup
sudo mv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
# Create new config
sudo vim /etc/ssl/openssl.cnf

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.key
serial = $dir/serial
default_days = 3650
default_md = sha256
preserve = no

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
C = CN
ST = Beijing
L = Beijing
O = My Company
OU = My Organizational Unit
emailAddress = [email protected]
CN = mycompany.com

4. Generate Self‑Signed Root Certificate

Create the CA private key and a long‑validity root certificate.

openssl genpkey -algorithm RSA -out /etc/pki/CA/private/cakey.key
openssl req -key /etc/pki/CA/private/cakey.key -new -x509 -days 7300 -out /etc/pki/CA/certs/cacert.pem

At this point the private CA is ready.

Issuing End‑Entity Certificates

1. Create a Certificate Signing Request (CSR)

mkdir tom && cd tom
sudo openssl req -new -keyout tom.key -out tom_req.csr -nodes

2. Transfer CSR to the CA

Copy tom_req.csr to /etc/pki/CA/csr/ on the CA host.

3. Sign the CSR

sudo openssl ca -batch -in /etc/pki/CA/csr/tom_req.csr -out /etc/pki/CA/certs/tom.pem

The -batch flag automatically confirms the signing prompt.

The CA’s index.txt database must be empty for the first certificate; otherwise signing fails silently.

4. Distribute the Certificate

The client receives tom.pem and uses it together with its private key tom.key for TLS/SSL connections.

CA Management Files

serial – stores the next certificate serial number; increments after each issuance.

index.txt – database of all issued certificates (status, expiry, serial, subject).

index.txt.attr – attributes such as unique_subject = yes which enforces unique subjects.

index.txt.old – backup of the previous index.txt state.

serial.old – backup of the previous serial number.

Revoking Certificates

1. Revoke a Certificate

openssl ca -revoke /path/to/certificate.pem

2. Generate a New CRL (Certificate Revocation List)

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem

The CRL lists all revoked certificates and is signed by the CA.

Common File Extensions

.key – private key files.

.pem, .crt, .cer – Base64‑encoded X.509 certificates.

.csr – Certificate Signing Request.

.crl – Certificate Revocation List.

Viewing Certificate Details

openssl x509 -in /path/to/file.pem -noout -text

This command prints the full certificate information, including subject, issuer, validity period, and extensions.

Reference Diagrams