Documentation

Creating a CA Certificate Using OpenSSL

  • For security purpose, the key length of the RSA algorithms must be at least 3072 bits. 4096-bit keys are recommended. Ensure that the -aes256 command is used to encrypt the key. In addition, MD5, SHA1, and RSA1024 are not recommended for encryption because they have security risks.
  • Set the certificate validity period properly. It is recommended that the validity period be less than or equal to 36 months.
  • If an empty password is entered when you create a self-signed certificate, the generated private key is in plaintext, which poses security risks. It is recommended that the password meet certain complexity requirements.
  • Password complexity suggestions:
    1. Contains at least eight characters.
    2. Contains at least two types of the following characters:
      • Lowercase letters
      • Uppercase letters
      • Digits
      • Special characters

Using OpenSSL to Create a CA Certificate

  1. Log in to a Linux server with OpenSSL installed.
  2. Create the cert_v3 directory and enter the directory.
    mkdir cert_v3
cd cert_v3
  3. In the cert_v3 directory, create the ca directory and go to the directory.
    mkdir ca
cd ca
  4. Create the OpenSSL configuration file ca_cert.conf for the CA certificate. The file content is as follows:
    [ req ]
 distinguished_name     = req_distinguished_name 
 prompt                 = no  

[ req_distinguished_name ]  
 O                      = MEF
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  5. Create the private key file ca.key of the CA certificate.
    openssl genrsa -aes256 -out ca.key 4096

    Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters.

  6. Create the CSR request file ca.csr of the CA certificate.
    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf
  7. Create the self-signed CA certificate ca.crt.
    openssl x509 -req -in ca.csr -out ca.crt -sha256 -days 1000 -extfile ./ca_cert.conf -extensions v3_ca -signkey ca.key

Parent topic: Common Operations