Monthly Archives: June 2013

How to create your own PKI with openssl

Today certificates are widely used to verify, authenticate a client/user or server, to encrypt or sign emails or to sign other types of objects (e.g. source code). You are using a certificate at the moment, due to the secure http (https) connection.
In this post I will show you how to create your own Root Certificate Authority (CA).

1. Create a self signed root certificate
2. Create a sub ca certificate
3. Create a server certificate
4. Create a user certificate
5. Generate a certificate revocation list
6. Revoke a certificate
7. Export a certificate to PKCS#12 format
8. Bash script to manage your own CA

I recommend to configure your openssl.cnf (located at /etc/ssl/openssl.cnf). This is the most annoying part, but it simplifies the next steps. You can find an example of an openssl.cnf I’ll use at the end of this post. Be careful at the policy_match section, this can be a problem while signing a certificate signing request.
Read the rest of this entry