How to Generate a CA Private Key, CSR, and Self‑Signed Certificate with OpenSSL

This article records OpenSSL commands to generate a CA private key, a certificate signing request (CSR), and a self‑signed CA certificate, explaining each parameter, its purpose, technical details, and security recommendations.

1. Generate CA Private Key

openssl genrsa -out ca-key.pem 4096

genrsa : generates an RSA private key using asymmetric encryption; prefer RSA 4096 or ECC 256+ for stronger security.

-out ca-key.pem : writes the key to a PEM‑encoded file; set restrictive permissions immediately, e.g., chmod 600 ca-key.pem.

4096 : key length; 2048 bits is the minimum, while 4096 bits offers higher security at the cost of performance.

2. Generate CSR (Certificate Signing Request)

openssl req -new -key ca-key.pem -out ca-csr.pem

req : processes certificate requests following the PKCS#10 standard.

-new : creates a new CSR, generating a new public key derived from the provided private key.

-key ca-key.pem : specifies the signing private key; ensure the file path is correct.

-out ca-csr.pem : outputs the CSR containing the public key and identity information (no private key); it can be stored temporarily and deleted after use.

When the command runs, OpenSSL prompts for identity fields such as Country, State, Locality, Organization, Organizational Unit, Common Name, and Email. Example input:

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:My CA Inc.
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:My Root CA
Email Address []:[email protected]

3. Self‑sign to Create CA Certificate

openssl x509 -req -days 3650 -in ca-csr.pem -signkey ca-key.pem -out ca-cert.pem

x509 : performs X.509 certificate operations according to RFC 5280.

-req : indicates the input is a CSR rather than generating a certificate from scratch; the CSR must match the private key.

-days 3650 : sets the certificate validity period to 10 years.

-in ca-csr.pem : specifies the CSR to read, extracting the public key and identity data; must correspond to the private key.

-signkey ca-key.pem : uses the private key to sign the certificate; never expose this key.

-out ca-cert.pem : writes the self‑signed certificate in PEM format, which can be freely distributed.

Conclusion

Using these OpenSSL commands, you can build a private CA that issues certificates for internal services such as custom RPC communication, providing encryption and authentication. For public‑facing services like HTTPS, obtain certificates from a trusted CA.