Useful OpenSSL commands for your own CA

Here is a short summary of how I am managing my SSL certificates

  • Edit /etc/ssl/openssl.cnf and add a section for each separate certificate authority, e.g. CA_servers CA_clients, CA_vpn

  • Use a safe umask:
     umask 077

  • Generate a private key

    • an unencrypted key (no password needed)
      openssl genrsa -out key.pem 2048

    • an encrypted key (with a password)
      openssl genrsa -aes256 -out key.pem 2048

  • Create a certificate request:
    openssl req -new -key key.pem -out req.pem

  • Sign the certificate:
    openssl ca -name CA_vpn -in req.pem -out cert.pem

  • Optionally add specific extensions to the signed certificate:

    • Prepare a section in /etc/ssl/openssl.cnf like this:
      nsCertType = server, client

    • Modify the signing command like this:
      openssl ca -name CA_vpn -in req.pem -out cert.pem -extensions ext_server


Popular posts from this blog

Installing Gentoo with full disk encryption

ADSL Router Model CT-5367 user and pass (VIVACOM)

FreeIPA cluster with containers