How to Build Your Own Private CA on Linux with OpenSSL

CA and PKI Introduction

CA (Certificate Authority) manages digital certificates, handling issuance, revocation, and renewal. PKI (Public Key Infrastructure) is a broader framework, with the Registration Authority (RA) handling requests and validation before instructing the CA to issue or revoke certificates.

Building a Private CA

1. Install OpenSSL

Most Linux distributions include OpenSSL; otherwise install via package manager or source.

2. Create Directory Structure

Create a dedicated directory for the CA and sub‑directories for certificates, CRLs, new certificates, and private keys.

mkdir /etc/pki/CA

mkdir /etc/pki/CA/{certs,crl,newcerts,private}
 touch /etc/pki/CA/index.txt
 echo 01 > /etc/pki/CA/serial

certs – stores certificates issued by the CA

crl – stores certificate revocation lists

newcerts – holds newly created certificates

private – contains the CA’s private key

index.txt – database tracking issued certificates

serial – file holding the next certificate serial number

3. Edit OpenSSL Configuration

Locate the OpenSSL configuration file with openssl version -d and edit it to define default directories and parameters.

# /etc/ssl/openssl.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
new_certs_dir = $dir/newcerts
database = $dir/index.txt
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.key
serial = $dir/serial
default_days = 3650
default_md = sha256
preserve = no

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[ dn ]
C = CN
ST = BeiJin
L = BeiJin
O = My Company
OU = My Organizational Unit
emailAddress = [email protected]
CN = mycompany.com

4. Generate a Self‑Signed Root Certificate

First create a private key, then generate a root certificate using that key.

openssl genpkey -algorithm RSA -out /etc/pki/CA/private/cakey.key

openssl req -key /etc/pki/CA/private/cakey.key -new -x509 -days 7300 -out /etc/pki/CA/certs/cacert.pem

At this point the private CA is ready.

CA Issuing Certificates

1. User Generates a CSR

mkdir tom
cd tom
sudo openssl req -new -keyout tom.key -out tom_req.csr -nodes

2. CA Receives the CSR

mkdir /etc/pki/CA/csr

3. CA Verifies Identity

The CA validates the requester’s identity before signing.

4. CA Signs the Certificate

sudo openssl ca -batch -in /etc/pki/CA/csr/tom_req.csr -out /etc/pki/CA/certs/tom.pem

The signed certificate and private key can now be used by the client.

Special CA Files

serial

Contains the next serial number; it increments with each new certificate.

cat /etc/pki/CA/serial   # e.g., 02

index.txt

Database tracking all issued certificates, their status, expiration, serial number, and subject.

V    331028032625Z    01    unknown    /C=CN/ST=BeiJin/O=My Company/OU=My Organizational Unit/CN=mycompany.com/[email protected]

index.txt.attr

Controls attributes such as unique_subject = yes to enforce unique subjects.

unique_subject = yes

index.txt.old and serial.old

Store previous database and serial information.

Revoking Certificates

1. Revoke a Certificate

openssl ca -revoke /path/to/certificate.pem

2. Generate a New CRL

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem

Common File Extensions

.key – private key files

.pem – PEM‑encoded certificates or keys

.csr – certificate signing requests

.crl – certificate revocation lists

Viewing Certificate Details

openssl x509 -in /path/to/cert.pem -noout -text

Certificate Issuance Workflow

The client creates a CSR, the CA hashes it, signs the hash with its private key, and returns a signed X.509 certificate.

During data communication, the client encrypts data with a symmetric key, encrypts that key with the server’s public key from the certificate, and sends both along with a hash for integrity verification. The server decrypts the symmetric key, recovers the data, recomputes the hash, and compares it to ensure integrity.