Jamie’s Discourse

OpenSSL Certificate Authority

Discuss my OpenSSL Certificate Authority guide. Feel free to create a separate topic for more focused discussions!


I’m getting an error when I try to make a certificate without a password:

“failed to update database
TXT_DB error number 2”

What’s the deal?

This error happens when trying to sign a certificate with the same Common Name that you used for the root or intermediate pair. Make sure that you use a different Common Name.

I was wondering if you knew why i am getting this error when I was following your steps. When trying to generate the Sign server and client certificates, I ran into this error;

root@crtt-test-Team:~/ca# openssl ca -config intermediate/openssl.cnf \

-extensions server_cert -days 375 -notext -md sha256
-in intermediate/csr/www.example.com.csr.pem
-out intermediate/certs/www.example.com.cert.pem
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
unable to load certificate
140278873884320:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE


Nevermind, I believe it was a permission issue on on of the files. It is working now.

I tried to do the last step in the intermediate part and chain the root and inter. When I open the chain with openssl, I only see the intermediate cert info. Am I supposed to have both or just one?

This is normal. I assume what you’re running is openssl x509 -noout -text -in ca-cert.chain.pem. This will only show you information for the first certificate in a file.

the document is clear and succinct. you should keep it around for a while (more visitors will look at this site)


thank you for the good documentation that far. :slight_smile:

Really great walk through. Could you prove an example of what command to use for creating the client certificates? Will we need to use openssl pkcs12?

1 Like

Great tutorial! Finally one that worked for what I needed in a home lab/server environment.

One additional thing I was looking for was how to create a certificate for a server with a subject alternative name? Sometimes I access a server via it’s IP address and not just the host name, so I’d like to be able to generate a cert that would work for host name and the server’s IP address.



Hi, perhaps I can help you. I had the same problem. From 2 Files (crt & key) it is a easy way to pkcs12 Files. You can just use the command:

openssl pkcs12 -export -out intermediate/certs/%certname%.pfx -inkey intermediate/private/%certname%.key.pem -in intermediate/certs/%certname%.cert.pem -certfile intermediate/certs/intermediate.cert.pem

The Out-parameter is the pkcs12-File, inkey is the private key of the client, in is the client cert and certfile is the Intermediate CA.

But i had problems. My nodejs server didnot authorized this client certificate. I use the intermediate cert as CA cert in my nodejs server. Any solutions for this?

Great guide! Quick question though, do you have any experience with OCSP responders and could you possibly forward me to a solution for OCSP responding?

1 Like

A Uppercase Thank you for the guide

1 Like

Thanks for the guide. Worked perfectly in an OpenVPN setup I am running. I wanted a proper CA root/intermediate to run instead of using easyrsa like everyone else.

Thanks for the jumpstart! Just curious about one thing. The guide mentions:

Typically, the root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate CAs, which are trusted by the root CA to sign certificates on their behalf. This is best practice. It allows the root key to be kept offline and unused as much as possible, as any compromise of the root key is disastrous.

Which I understand. And I see the separate pages about CRLs and OCSP for revoking server & clients certs that are issued. But what about the (hopefully rare :slight_smile: ) event that an intermediate CA’s key is compromised. Should the intermediate CA’s also cary some revocation check URI in the same way? Just not sure how a compromise like that would be contained.

1 Like

Thanks for this excellent guide! Very well written.

1 Like

This is a great guide!. Even though it is naturally suited to Linux, I was able to work through and complete a full Root/intermediate/server cert construct process for a windows platform.
All steps were well explained, with reasoning as to what and why to make troubleshooting easier.

1 Like

Just so I understand it completely, is it right that the only time any of the files leave the secure server is when you “Deploy the certificate”. (or revocation lists). so I would use a USB drive to copy the files and deploy them. other than that nothing leaves that server?

thanks for the great writeup!

This is a great resource!

A few things concerning apache2 and CRL’s:

  1. 'SSLCARevocationCheck leaf’ or ‘SSLCARevocationCheck chain’ is now required for crl’s to work at all. If the directive is missing, it defaults to ‘none’, which means no crl checking.
  2. ’SSLCARevocationFile /path/to/intermediate.crl.pem’ seems to work much better that using ‘SSLCARevocationPath /path/to/’ if you can live with a single crl file. The SSLCARevocationPath /path/to/’ directive requires hashing and it doesn’t seem to work as well in a simple situation.
  3. Both these directives have to be seen BEFORE any virtual hosts are seen in your apache config files. You can only have one set of these directives for your entire apache server.
  4. If you have multiple CA’s with multiple CRL’s, you have to put the all the crl PEMs in the same directory and use the 'SSLCARevocationPath’ directive. That means you have to hash them.
1 Like