Simple Certificate Authority: how-to May 11, 2021 on Savely Krasovsky's blog

This post is just an example of how to create a simple CA and issue a TLS certificate. I will deliberately not give any explanations, because the Internet has been full of them for a long time.

It also frustrates me that people like to just copy and paste configurations and don’t realize that tons of parameters are just not needed for their needs. In my case I tried to keep it as simple as possible.

So create three files:

ca.cnf:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
# You can remove this if you don't use non-ASCII symbols
utf8 = yes

[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's CA"

[v3_req]
keyUsage = digitalSignature

tls.cnf:

[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes

[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's LAN"

tls.ext:

keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = home.local
DNS.2 = *.home.local

Now execute this:

# Generate CA cert
openssl ecparam -name prime256v1 -genkey -out ca.key
openssl req -new -key ca.key -config ca.cnf -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

# Generate TLS cert
openssl ecparam -name prime256v1 -genkey -out tls.key
openssl req -new -key tls.key -config tls.cnf -out tls.csr
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -out tls.crt -days 365 -extfile tls.ext

Of course, you can create not only TLS certs, this is just the simplest case. Play with the tls.ext (especially keyUsage and extendedKeyUsage parameters) file to issue another certificate.

For example this is mTLS compatible client cert:

personal.cnf:

[req]
distinguished_name = req_distinguished_name
prompt = no
utf8 = yes

[req_distinguished_name]
C = RU
CN = "Savely Krasovsky's LAN"

personal.ext:

keyUsage = critical,digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash

Generation:

openssl ecparam -name prime256v1 -genkey -out personal.key
openssl req -new -key personal.key -config personal.cnf -out personal.csr
openssl x509 -req -in personal.csr -CA ca.crt -CAkey ca.key -out personal.crt -days 365 -extfile personal.ext

# Convert to convenient PKCS#12 certificate there key and cert itself are combined
openssl pkcs12 -export -out personal.pfx -inkey personal.key -in personal.crt