Creating a Certificate Authority to SSL Signed Certificate for our Apache Server

I wanted to create certificates but mostly you will find how to create Self-Signed Certificates but I want to create a Certificate Authority to sign them and just upload a single root certificate to the navigators in order to accept all.

The steps to do this are here.

Create a CA Root

mkdir CA
cd CA
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Create a new CA private key
openssl genrsa -aes256 -out private/ca.key.pem 4096

Create a CA Certificate
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem

Create an intermediate certificate authority (CA)

mkdir intermediate
cd intermediate
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Create the intermediate private key
openssl genrsa -aes256 -out private/intermediate.key.pem 4096

Create the intermediate certificate
openssl req -sha256 -new -key private/intermediate.key.pem -out certs/intermediate.csr.pem

Sign the intermediate certificate with our Root Certificate
cd ..
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions v3_ca -notext -md sha256 -in intermediate/certs/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem

To verify our last signed certificate
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem

Create the certificate chain file concatenating the intermediate certificate and root certificate together
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

To verify intermediate signed certificates against the certificate chain
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/

Create and sign SSL certificates when acting as a certificate authority (CA)

Create the new private key for the actual server certificate
cd intemediate
openssl genrsa -out private/ 2048
chmod 400 private/

Create the CSR certificate for the Server
openssl req -sha256 -new -key private/ -out certs/

openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in certs/ -out certs/

At this point we have a useful certificate in order to use just put this settings into your virtual host configuration

The certificate is not trusted because no issuer chain was provided.

SSLEngine on
SSLCertificateFile /PATH_TO_CERT/
SSLCertificateKeyFile /PATH_TO_KEY/
SSLCertificateChainFile /PATH_TO_CHAIN_CERT/ca-chain.cert.pem

Edit the /etc/ssl/openssl.conf configurations
Set the [ CA_default ] dir = ./
Uncomment the keyUsage line of [ v3_ca ]
Change the [ policy_match ] organizationName = optional

To remove the passphrase from a key
openssl rsa -in private.key.pem -out private.unsecure.key.pem

And that will be all.

Obtained from

Series of CA on this blog


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s