How to Be Your Own Certificate Authority

Generate your CA's private key by issuing the following command: openssl genrsa -des3 -out server.CA.key 2048 The options explained: openssl - the name of the software genrsa - creates a new private key -des3 - encrypt the key using the DES cipher...

27 Steps 2 min read Advanced

Step-by-Step Guide

Step 1: Generate your CA's private key by issuing the following command: openssl genrsa -des3 -out server.CA.key 2048 The options explained: openssl - the name of the software genrsa - creates a new private key -des3 - encrypt the key using the DES cipher -out server.CA.key - the name of your new key 2048 - the length

-out server.CA.csr
- The file name of the signing request you are creating sha256
- The encryption algorithm to use for signing requests (If you don't know what this is, do not change this.

You should only change this if you know what you are doing) , Organizational Unit Name (eg, section) []:
Common Name (e.g., server FQDN or YOUR name) []:
CA Certificate for LifeGuide Hub.com Email Address []: certs@LifeGuide Hub.com , (If you don't know what this is, do not change this.

You should only change this if you know what you are doing)
-enddate 330630235959Z
- The end date of the certificate.

The notation is YYMMDDHHMMSSZ where Z is in GMT, sometimes known as "Zulu" time.
-infiles server.CA.csr
- the signing request file that you created the step above. ,
-noout
- Do not output the encoded text
-text
- output the information on the screen
-in server.CA.crt
- Load the signed certificate The server.CA.crt file can be distributed to anyone who will use your website or use certificates that you plan on signing. ,,
-out server.apache.csr
- The file name of the signing request you are creating sha256
- The encryption algorithm to use for signing requests (If you don't know what this is, do not change this.

You should only change this if you know what you are doing) ,, Organizational Unit Name (eg, section) []:
Common Name (e.g., server FQDN or YOUR name) []:
Apache SSL Certificate for LifeGuide Hub.com Email Address []: certs@LifeGuide Hub.com , Create a private key without a password to prevent apache from prompting you for a password: openssl rsa
-in server.apache.key
-out server.apache.unsecured.key The options explained: rsa
- Runs the RSA encryption program
-in server.apache.key
- The key name that you want to convert.
-out server.apache.unsecured.key
- The file name of the new unsecured key ,,,,,,,,
Step 2: in bits
Step 3: of the private key (Please see the warnings) Store this certificate and the password in a safe place.
Step 4: Create a certificate signing request: openssl req -verbose -new -key server.CA.key -out server.CA.csr -sha256 The options explained: req - Creates a Signing Request -verbose - shows you details about the request as it is being created (optional) -new - creates a new request -key server.CA.key - The private key you just created above.
Step 5: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.
Step 6: city) []: Silicon Valley Organization Name (e.g.
Step 7: company) : LifeGuide Hub
Step 8: Self-sign your certificate: openssl ca -extensions v3_ca -out server.CA-signed.crt -keyfile server.CA.key -verbose -selfsign -md sha256 -enddate 330630235959Z -infiles server.CA.csr The options explained: ca - Loads the Certificate Authority module -extension v3_ca - Loads the v3_ca extension
Step 9: a must-have for use on modern browsers -out server.CA-signed.crt - The name of your new signed key -keyfile server.CA.key - The private key you created in step 1 -verbose - shows you details about the request as it is being created (optional) -selfsign - Tells openssl that you are using the same key to sign the request -md sha256 - The encryption algorithm to use for the message.
Step 10: Inspect your CA certificate: openssl x509 -noout -text -in server.CA.crt The options explained: x509 - Loads the x509 module to inspect signed certificates.
Step 11: Create a private key: openssl genrsa -des3 -out server.apache.key 2048 The options explained: openssl - the name of the software genrsa - creates a new private key -des3 - encrypt the key using the DES cipher -out server.apache.key - the name of your new key 2048 - the length
Step 12: in bits
Step 13: of the private key (Please see the warnings) Store this certificate and the password in a safe place.
Step 14: Create a Certificate Signing Request: openssl req -verbose -new -key server.apache.key -out server.apache.csr -sha256 The options explained: req - Creates a Signing Request -verbose - shows you details about the request as it is being created (optional) -new - creates a new request -key server.apache.key - The private key you just created above.
Step 15: Use your CA certificate to sign the new key: openssl ca -out server.apache.pem -keyfile server.CA.key -infiles server.apache.csr The options explained: ca - Loads the Certificate Authority module -out server.apache.pem - The file name the signed certificate -keyfile server.CA.key - The file name of the CA certificate that will be signing the request -infiles server.apache.csr - The file name of the Certificate Signing Request
Step 16: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.
Step 17: city) []: Silicon Valley Organization Name (e.g.
Step 18: company) : LifeGuide Hub
Step 19: Save a copy of your private key in another location.
Step 20: Use the resulting server.apache.pem file along with the private key you generated in step 1 to configure your apache2.conf file.
Step 21: Follow all the steps in _Creating SSL Certificates for Apache_.
Step 22: Convert your signed certificate to a PKCS12: openssl pkcs12 -export -in user_cert.pem -inkey user_private_key.pem -out user_cert.p12
Step 23: Create a private key: openssl genrsa -des3 -out private_email.key 2048
Step 24: Create a Certificate Signing Request: openssl req -new -key private_email.key -out private_email.csr
Step 25: Use your CA certificate to sign the new key: openssl ca -out private_email.pem -keyfile server.CA.key -infiles private_email.csr
Step 26: Convert the certificate to PKCS12 openssl pkcs12 -export -in private_email.crt -inkey private_email.key -out private_email.p12
Step 27: Create a Public Key certificate for distribution: openssl pkcs12 -export -out public_cert.p12 -in private_email.pem -clcerts -nokeys -name "LifeGuide Hub's Public Key"

Detailed Guide

-out server.CA.csr
- The file name of the signing request you are creating sha256
- The encryption algorithm to use for signing requests (If you don't know what this is, do not change this.

You should only change this if you know what you are doing) , Organizational Unit Name (eg, section) []:
Common Name (e.g., server FQDN or YOUR name) []:
CA Certificate for LifeGuide Hub.com Email Address []: certs@LifeGuide Hub.com , (If you don't know what this is, do not change this.

You should only change this if you know what you are doing)
-enddate 330630235959Z
- The end date of the certificate.

The notation is YYMMDDHHMMSSZ where Z is in GMT, sometimes known as "Zulu" time.
-infiles server.CA.csr
- the signing request file that you created the step above. ,
-noout
- Do not output the encoded text
-text
- output the information on the screen
-in server.CA.crt
- Load the signed certificate The server.CA.crt file can be distributed to anyone who will use your website or use certificates that you plan on signing. ,,
-out server.apache.csr
- The file name of the signing request you are creating sha256
- The encryption algorithm to use for signing requests (If you don't know what this is, do not change this.

You should only change this if you know what you are doing) ,, Organizational Unit Name (eg, section) []:
Common Name (e.g., server FQDN or YOUR name) []:
Apache SSL Certificate for LifeGuide Hub.com Email Address []: certs@LifeGuide Hub.com , Create a private key without a password to prevent apache from prompting you for a password: openssl rsa
-in server.apache.key
-out server.apache.unsecured.key The options explained: rsa
- Runs the RSA encryption program
-in server.apache.key
- The key name that you want to convert.
-out server.apache.unsecured.key
- The file name of the new unsecured key ,,,,,,,,

About the Author

Virginia Bennett

Professional writer focused on creating easy-to-follow creative arts tutorials.

45 articles

View all articles

Share this guide: Twitter Facebook Email

Rate This Guide

How helpful was this guide? Click to rate:

How to Be Your Own Certificate Authority

Step-by-Step Guide

Step 2: in bits

Step 3: of the private key (Please see the warnings) Store this certificate and the password in a safe place.

Step 5: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.

Step 6: city) []: Silicon Valley Organization Name (e.g.

Step 7: company) : LifeGuide Hub

Step 10: Inspect your CA certificate: openssl x509 -noout -text -in server.CA.crt The options explained: x509 - Loads the x509 module to inspect signed certificates.

Step 11: Create a private key: openssl genrsa -des3 -out server.apache.key 2048 The options explained: openssl - the name of the software genrsa - creates a new private key -des3 - encrypt the key using the DES cipher -out server.apache.key - the name of your new key 2048 - the length

Step 12: in bits

Step 13: of the private key (Please see the warnings) Store this certificate and the password in a safe place.

Step 16: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.

Step 17: city) []: Silicon Valley Organization Name (e.g.

Step 18: company) : LifeGuide Hub

Step 19: Save a copy of your private key in another location.

Step 20: Use the resulting server.apache.pem file along with the private key you generated in step 1 to configure your apache2.conf file.

Step 21: Follow all the steps in _Creating SSL Certificates for Apache_.

Step 22: Convert your signed certificate to a PKCS12: openssl pkcs12 -export -in user_cert.pem -inkey user_private_key.pem -out user_cert.p12

Step 23: Create a private key: openssl genrsa -des3 -out private_email.key 2048

Step 24: Create a Certificate Signing Request: openssl req -new -key private_email.key -out private_email.csr

Step 25: Use your CA certificate to sign the new key: openssl ca -out private_email.pem -keyfile server.CA.key -infiles private_email.csr

Step 26: Convert the certificate to PKCS12 openssl pkcs12 -export -in private_email.crt -inkey private_email.key -out private_email.p12

Step 27: Create a Public Key certificate for distribution: openssl pkcs12 -export -out public_cert.p12 -in private_email.pem -clcerts -nokeys -name "LifeGuide Hub's Public Key"

Detailed Guide

About the Author

Virginia Bennett

Rate This Guide

More from Other Guides

How to Identify Prints

How to Pick a Stage Name

How to Sit Through Opera

How to Maintain Linens

How to Achieve Greatness

How to Win a Teenage Girl's Heart

Step-by-Step Guide

Step 2: in bits

Step 3: of the private key (Please see the warnings) Store this certificate and the password in a safe place.

Step 5: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.

Step 6: city) []: Silicon Valley Organization Name (e.g.

Step 7: company) : LifeGuide Hub

Step 10: Inspect your CA certificate: openssl x509 -noout -text -in server.CA.crt The options explained: x509 - Loads the x509 module to inspect signed certificates.

Step 11: Create a private key: openssl genrsa -des3 -out server.apache.key 2048 The options explained: openssl - the name of the software genrsa - creates a new private key -des3 - encrypt the key using the DES cipher -out server.apache.key - the name of your new key 2048 - the length

Step 12: in bits

Step 13: of the private key (Please see the warnings) Store this certificate and the password in a safe place.

Step 16: Fill out the information as much as possible: Country Name (2 letter code) : US State or Province Name (full name) : CA Locality Name (e.g.

Step 17: city) []: Silicon Valley Organization Name (e.g.

Step 18: company) : LifeGuide Hub

Step 19: Save a copy of your private key in another location.

Step 20: Use the resulting server.apache.pem file along with the private key you generated in step 1 to configure your apache2.conf file.

Step 21: Follow all the steps in _Creating SSL Certificates for Apache_.

Step 22: Convert your signed certificate to a PKCS12: openssl pkcs12 -export -in user_cert.pem -inkey user_private_key.pem -out user_cert.p12

Step 23: Create a private key: openssl genrsa -des3 -out private_email.key 2048

Step 24: Create a Certificate Signing Request: openssl req -new -key private_email.key -out private_email.csr

Step 25: Use your CA certificate to sign the new key: openssl ca -out private_email.pem -keyfile server.CA.key -infiles private_email.csr

Step 26: Convert the certificate to PKCS12 openssl pkcs12 -export -in private_email.crt -inkey private_email.key -out private_email.p12

Step 27: Create a Public Key certificate for distribution: openssl pkcs12 -export -out public_cert.p12 -in private_email.pem -clcerts -nokeys -name "LifeGuide Hub's Public Key"

Detailed Guide

About the Author

Virginia Bennett

Rate This Guide

More from Other Guides

How to Identify Prints

How to Pick a Stage Name

How to Sit Through Opera

Related Guides

How to Maintain Linens

How to Achieve Greatness

How to Win a Teenage Girl's Heart