Setting up and using your own SSL CA

This guide shows how to setup a Certificate Authority on Centos 7

Setup the file structure:

Create a config file /root/ca/openssl.cnf

Now we can generate the root key:

Create the root certificate:

Verify the root certificate:

Create the intermediate certificate:

Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists:

Copy the intermediate CA configuration file: /root/ca/intermediate/openssl.cnf from the main one we created above and alter the following settings:

Create the intermediate key:

Create the intermediate certificate:
Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate.

The index.txt file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.

Verify the intermediate certificate:

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

Create the certificate chain file:

NOTE: Our certificate chain file must include the root certificate because no client application knows about it yet. A better option, particularly if you’re administrating an intranet, is to install your root certificate on every client that needs to connect. In that case, the chain file need only contain your intermediate certificate.

We can now sign client and server certificates!

Create a key:

If you don’t want a prompt for a password each time the certificate is used leave out the -aes256 parameter.

Create a certificate Signing Request:

Sign the CSR:

Verify the certificate:

Verify the chain of trust:

Deploy the certificate: