Creating and using a custom certificate authority aka CA presented by Carl Miller carl@carltm.com https://mdlug.org/media/presentations/ctm/ca.txt select the name of your CA, probably based on your dns domain: in this sample, we'll use sampleCA for sample.tld find location of default files: openssl ca 2>&1 | grep Using create custom directory for sampleCA: cd /etc/pki/tls mkdir -p sampleCA/{certs,crl,csrs,newcerts,private} chmod go-rwx sampleCA/private echo -n > sampleCA/index.txt echo 01 > sampleCA/serial echo 01 > sampleCA/crlnumber backup the original openssl.cnf: cp openssl.cnf openssl.cnf.orig customize the openssl.cnf for use by sampleCA HOME = /etc/pki/tls/sampleCA dir = $HOME default_days = 7305 default_bits = 2048 policy = policy_anything countryName_default = US stateOrProvinceName_default = Michigan localityName_default = Canton 0.organizationName_default = Sample nsComment (twice) = "Certificate issued by Sample Security" organizationalUnitName_default = Internet Security commonName_default = www.sample.tld emailAddress_default = support@sample.tld in [ req ] uncomment: req_extensions = v3_req in [ v3_req ] uncomment: subjectAltName = @alt_names below [ v3_req ] add: [ alt_names ] DNS.1 = sample.tld DNS.2 = *.sample.tld IP.1 = 127.0.0.1 create the CA: cd sampleCA openssl req -new -x509 -extensions v3_ca -keyout private/sampleCA_key.pem \ -out sampleCA_cert.pem -days 14610 #set Common Name to "Sample CA Root Certificate" #create a passphrase and remember it! openssl x509 -in sampleCA_cert.pem -noout -text -purpose \ > sampleCA_cert.pem.txt openssl x509 -in sampleCA_cert.pem -outform DER -out sampleCA_cert.der cp sampleCA_cert.pem sampleCA.crt cp sampleCA.crt /var/www/html client must request a certificate: openssl req -new -nodes -key private/sample.tld.key -out csrs/sample.tld.csr openssl req -new -nodes -keyout private/sample.tld.key -out csrs/sample.tld.csr client must send csr file with payment (if appropriate) to CA owner CA must sign the request: cp request.csr /etc/pki/tls/sampleCA/csrs openssl req -in csrs/sample.tld.csr -text -noout | more # if needed, update/remove [ alt names ] in openssl.cnf openssl ca -out certs/sample.tld.crt -infiles csrs/sample.tld.csr openssl x509 -in certs/sample.tld.crt -noout -text -purpose \ > certs/sample.tld.crt.txt cat certs/sample.tld.crt cacert.pem > certs/sample.tld.pem openssl x509 -in certs/sample.tld.pem -noout -text -purpose \ > certs/sample.tld.pem.txt CA owner must send client the pem file