User Tools

Site Tools


Creating CA and signing server and client certs with openssl

Can be used for anything that requires SSL certs, including stunnel certs. For stunnel certs client cert should be concatenated to the CA server file (rootCA.crt below) on the stunnel server.

Also see easy-rsa for a scripted way of doing below.

Configuring your CA

mkdir -p /tmp/myCA/
cd /tmp/myCA
mkdir certs csr newcerts private

On Ubuntu 18.04 example openssl.cnf is in /usr/lib/ssl/openssl.cnf.

cp /usr/lib/ssl/openssl.cnf /tmp/myCA/
echo 00 > serial
echo 00 > crlnumber
touch index.txt index.txt.attr

Change the dir parameter in openssl.cnf to /tmp/myCA (no trailing slash and use absolute path!).

Create the CA

Generate CA private key with or without passphrase

Create CA private key without passphrase

openssl genrsa -out rootCA.key 4096

Create CA private key with passphrase

openssl genrsa -des3 -passout pass:qwerty -out  private/rootCA.key 2048

Remove passphrase if needed

openssl rsa -passin pass:qwerty -in private/rootCA.key -out private/rootCA.key

Create CA self-signed certificate

openssl req -config openssl.cnf -new -x509 -subj '/C=DE/L=City/O=MyORG/CN=somename' -days 3650 -key private/rootCA.key -out certs/rootCA.crt

Or you can have openssl prompt you for the info with this command:

openssl req -new -x509 -days 3650 -sha256 -key private/rootCA.key -out certs/rootCA.crt

Create a SSL Server certificate

Create private key for the server without passphrase

openssl genrsa -out private/server.key 2048

Create private key for the server with passphrase

openssl genrsa -des3 -passout pass:qwerty -out private/server.key 2048

Remove passphrase

openssl rsa -passin pass:qwerty -in private/server.key -out private/server.key

Create CSR for the server. Change CN.

openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=someothername' -key private/server.key -out csr/server.csr

Or interactively

openssl req -new -sha256 -key private/server.key -out csr/server.csr

Create certificate for the server

openssl ca -batch -config openssl.cnf -days 3650 -in csr/server.csr -out certs/server.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything

Alternatively with a custom provided config file

openssl ca -config mycustom-config.conf -cert certs/rootCA.crt -keyfile private/rootCA.key -in csr/server.csr -out certs/server.crt

Contents of mycustom-config.conf:

[ ca ]
default_ca              = Practical-TLS_CA-config

[ Practical-TLS_CA-config ]
dir                     = RootCA/CA
certs                   = $dir
new_certs_dir           = $dir
database                = $dir/index.txt
serial                  = $dir/serial
default_days            = 365
default_crl_days        = 30
default_md              = sha256
preserve                = no
copy_extensions         = copy
policy                  = DN_attributes
x509_extensions         = certificate_extensions

[ DN_attributes ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ certificate_extensions ]
basicConstraints        = CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth

Create a SSL Client certificate

To use the client certificate in Firefox you need to export it to the correct format like so

openssl pkcs12 -export -in certs/client.crt -inkey private/client.key -out certs/client.p12

Then you can import it via Settings > Security > View certificates > Import. Also the server config needs to be added, e.g. for nginx

server {
ssl_verify_client on;
ssl_client_certificate /etc/nginx/rootCA.crt;

Create private key for the client without passphrase

openssl genrsa -out private/client.key 2048

Create private key for a client

openssl genrsa -des3 -passout pass:qwerty -out private/client.key 2048

Remove passphrase

openssl rsa -passin pass:qwerty -in private/client.key -out private/client.key

Create CSR for the client. Change CN.

openssl req -config openssl.cnf -new -subj '/C=DE/L=City/O=MyORG/CN=thirdname' -key private/client.key -out csr/client.csr

Or interactively

openssl req -new -sha256 -key private/client.key -out csr/client.csr

Create client certificate.

openssl ca -batch -config openssl.cnf -days 3650 -in csr/client.csr -out certs/client.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything

Verfiy certs

openssl verify -CAfile certs/rootCA.crt certs/client.crt
openssl verify -CAfile certs/rootCA.crt certs/server.crt

To inspect the CSR you can run:

openssl req -in client.csr -noout -text

To inspect the certificate:

openssl x509 -in client.crt -noout -text

To inspect the key:

openssl rsa -in client.key -noout -text

Additional extensions

If you need to add some x509 certificate extensions. like Subject Alternative Name (SAN) for additional domains you can provide a config file to the CSR similar to this:


[ req ]
distinguished_name  = requested_distinguished_name
req_extensions = requested_extensions

[ requested_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
organizationName                = Organization Name (eg, company)
commonName                      = Common Name

countryName_default             = HR
stateOrProvinceName_default     = North Province
localityName_default            = The Town
organizationName_default        = Secret org

[ requested_extensions ]
subjectAltName = @list_of_alternative_names
[ list_of_alternative_names ]
DNS.1   =
DNS.2   =
DNS.3   =
DNS.5   =
DNS.6   =
DNS.7   = *
DNS.8   =
DNS.9   = *

Above configuration will prompt you for commonName, organizationName etc. If you want to avoid prompting use below configuration:

[ req ]
default_bits           = 2048
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = GB
ST                     = Test State or Province
L                      = Test Locality
O                      = Organization Name
OU                     = Organizational Unit Name
CN                     = Common Name
emailAddress           = test@email.address

[ req_attributes ]

Note that the prompt=no, different attribute names in req_distinguished_name and empty req_attributes part.

You cannot define *_min, *_max and *_default when prompt is set to no.

Defining Organization Name, Locality etc. will not work with Letsencrypt. O and OU are only used for organization validation certificates. Let’s Encrypt only offers domain validation and can’t make any assertion as to the person or company that owns/manages the domain.

Then after generating the key

openssl genrsa -out private/client.key 2048

create the CSR

openssl req -new -sha256 -config mycsr.conf -key private/client.key -out csr/client.csr

Tested on

  • Ubuntu 18.04, 20.04.04
  • stunnel

See also


wiki/creating_ca_and_signing_server_and_client_certs_with_openssl.txt · Last modified: 2024/04/09 14:08 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki