Jamie’s Discourse

OpenSSL Certificate Authority

Great post!
I had only trouble displaying latin chars on organizationName field, and I fixed it adding -utf8 when I was creating the private key:

openssl req -config intermediate/openssl.cnf -key intermediate/private/$sitio.key.pem -new -utf8 -sha256 -out intermediate/csr/$sitio.csr.pem

Indeed a great guide! When I modified this for my purposes, I found that the server and user certs were signed by the root cert, not the intermediate. Has anyone else seen the same or is it just me messing things up? I resolved it by creating a separate openssl.cnf for those.


Great documentation, many thanks for that!
For the purpose of a local tool, I had to set a full ssl chain from scratch, and I was only finding little fragments of information with very few explanations, that were so confusing when finally put all together.
Until I found your post, and everything suddenly became extra clear!
Maybe you should just add a little section about how to trust the newly created root certificate. Because at first I was a little confused when I saw the ssl error telling me that there was a self-signed certificate in my chain. Even if I quickly understood why…
Many thanks again for this work!

Great Docs about CA creation. Thanks a lot.

Any chance to have this document also exported to PDF?
Or to put the Source of the docs which are used for sphinx online into a git repo? So any updates or hardening could be added with Pull Requests?

This guide’s comprehensive up to the Deploy the Certificate section, but “You can now either deploy your new certificate to a server, or distribute the certificate to a client. When deploying to a server application (eg, Apache), you need to make the following files available” leaves no clear idea what to do to actually deploy it. Where should those files be avail, etc? Pointers to further resources would be helpful here,

Hello, I need to create Indirect CRL, could you pleas help us by providing the steps to do so.

Great writeup!!! Thanks.

Something caught my eye. In the intermediate configuration file in the appendix you have

[ req ]

x509_extensions = v3_ca

when I expected to see

[ req ]

x509_extensions = v3_intermediate_ca

because of the pathlen:0 attribute only in the latter:


basicContraints = …, pathlen:0

Awesome works, Thanks a lot !

Thank you for great documentation.

I would suggest adding “copy_extensions = copy” to [ CA_default ] at intermediate/openssl.cnf to pass subjectAltName to signed certificate along with CRL.

Adding my thanks and appreciation!

For several years, I maintained a registry of assigned names and numbers for a software development organization: mostly OID’s and SNMP MIB’s. At one point, I prototyped an internal CA and published certificates as well. The registry structure followed Maven/Ivy conventions so that build/integration systems could download these artifacts. I followed this tutorial to set up the CA.

Jamie’s tutorial covers certificate generation but not so much about publication. Similarly, the aspects of provisioning servers and clients are not covered so much. I ran into the sort of problems you find in the comments such as how to bundle up a certificate chain and key for a given server.

I’ve published two GitHub projects covering:

  1. A prototype web site and registry to make certificates generated by a CA publicly available: ranger6/xanna

  2. A set of tools (mostly bash scripts) to standardize and simplify the publication of certificates, generate certificate bundles, etc.: ranger6/ca. This project includes an example workflow of setting up the CA with signing certificates, generating server certificates, publishing to a registry, and fetching certificates/bundles to provision servers. A good part of the workflow (the upstream part) is simply following Jamie’s tutorial.

Advise on all the provisioning gotcha’s are not covered. I mostly played around with Caddy (caddyserver.com).

Everything is free for the taking (MIT License). Comments and pull requests accepted!

First of all this is great article.

When I check certification path from browser, it is showing only intermediate certificate -> server certificate… why it is missing rootca… in certification path… I am expecting to show certification path as rootca-> intermediateca -> server.

A PDF version of https://jamielinux.com/docs/openssl-certificate-authority/index.html would be really handy to be stored together with produced files.

Is there any way to create certs with “Certificate transparency” using openssl CA ?

Hi, when I reached the “Create the intermediate certificate” step, while trying to sign the CSR with my root CA, I encountered this error message after keying my passphrase for my root CA private key,

ca: PKI/ca/root/newcerts is not a directory
PKI/ca/root/newcerts: No error

May I know what does this mean?

After much researching, I somehow believe this error is due to the fact that when I try to access my root ca configuration file, it is unable to read the respective directories under the [ CA_default ] section. This is because even the root private key and root certificate is listed under the [ CA_default] section, it will show an error message saying “unable to load CA private key” but after I indicated the path to the private key in my command line, this error message is gone. Therefore, I believe it is due to the file path naming convention but I still do not know under to resolve this. Please advise!

Below is the command I used:
C:\Users\QiKang.Lim\PKI\ca>openssl ca -config root\root.conf -keyfile root\private\ca.key.pem -cert root\certs\ca.cert.pem -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate\csr\intermediate.csr.pem -out intermediate\certs\intermediate.cert.pem

Hello Kyokku, i saw your post and i assume you are using windows to generate your own certificate authority and certificates. Do you encounter any problem accessing your root key and root configuration file when you are signing the CSR for your intermediate CA generation? I encounter some problems and hope you can advise me. Please and thank you!

Thank you very much for this guide on creating an OpenSSL CA. It’s extremely well written and I found it very helpful.

What a comprehensive, well-written, useful guide. This is really appreciated!

Thanks for the instructions but I’m running into a little bit of a problem with the following error:

Using configuration from intermediate/openssl.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
140423648978176:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/root/ca/intermediate/index.txt','r')
140423648978176:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

This is occurring with the following command as listed in your guide:

# openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.example.com.csr.pem \
      -out intermediate/certs/www.example.com.cert.pem

Found my own problem – no need to respond – I had a file called indext.txt rather than index.txt. I made the correction and things worked as expected. Thanks.