Certificate Authority, Creation and Use

Jul 16, 2020

To use valid SSL certificates you do not need to buy one, you can create your own Certificate Authority (CA) or use Let’s Encrypt. Let’s Encrypt is the best choice because you do not have to install a new CA on the client side.

But if for some reason you want to create your CA, in this post I show how to do this in a simple way using easy-rsa, a script from OpenVPN.

Creating a Certificate Authority (CA)

Install easy-rsa and prepare the environment.

# apt install easy-rsa
# cp -R /usr/share/easy-rsa /easy-rsa_myCA
# cd /easy-rsa_myCA
# ./easyrsa init-pki

If you want, you can customize the CA params with:

# cp vars.example vars
        and edit the vars file

And to build the CA, just run:

# ./easyrsa build-ca
        Enter a password for your private key.
        Common Name: write the name of your new CA.

Creating a certificate suitable for signing by your CA

Let’s create the certificate of www.yourdomain.com:

# ./easyrsa gen-req www.yourdomain.com nopass
        Common Name: www.yourdomain.com

Now sign it using your new CA:

# ./easyrsa sign-req server www.yourdomain.com

With this your new certificate is signed by your CA. Just use the files pki/issued/www.yourdomain.com.crt and pki/private/www.yourdomain.com.key in your server app like Apache.

Using your new CA in Firefox

First, copy the CA public key (pki/ca.crt) to your Desktop. Them go to Preferences -> Search for certifi -> View Certificates… -> Authorities -> Import -> find your ca.crt

Back to talau's home