Create Your Own Certificate Authority (CA) in CentOS/RHEL

A certificate authority (CA) issues digital certificates that certifies the ownership of a public key by the named subject of the certificate. Trusted certificates are typically used to make secure connections to a server over the Internet. A certificate is required in order to avoid the case that a malicious party which happens to be on the path to the target server pretends to be the target. Such a scenario is commonly referred to as a man-in-the-middle attack.

In general people use trusted CA’s on the internet, like VeriSign, but there are cases where you need your own CA, like to add extra security to an intranet or VPN or maybe you don't want to pay for one.

Install openssl

First we will start by installing the openssl utility, if you are using CentOS / Fedora / RHEL, you can do this using yum like this:

# yum install openssl

If you are using Ubuntu / Debian you can use apt-get like this:

# apt-get install openssl

Creating your own CA

To create your own CA you can use the script that comes with the openssl package, for this first go to an empty directory and then run the script like this:
For CentOS / Fedora / RHEL

# /usr/share/ssl/misc/ -newca

Ubuntu / Debian

# /usr/lib/ssl/misc/ -newca

The script will run you through all the steps of creating your new CA, it doesn’t matter very much what you enter in the fields and all entries are self-explanatory.

The full process will look something like this:

Creating certificates

Now that you have your own certificate authority (CA) you can create digital certificates for servers on your LAN, for VPN clients or for whatever service you need to use with SSL. That means you have to do two steps:

First you will need to create a private key and a certificate request:

# /usr/lib/ssl/misc/ -newreq

You will be asked the same questions as in the newca option, as shown below:

Now you can sign that certificate with your CA using the following command:

# /usr/lib/ssl/misc/ -sign

Now you can use this certificate for any purpose you wish.

5 Comments... add one

  1. On my system (CentOS 7) I had to run "yum install openssl-perl" to get the Perl script, as it wasn't included with the openssl package.

    • In a standard CentOS 7 system,
      -Without doing yum install "open-ssl-perl" mentioned earlier

      Located in '/etc/pki/tls/misc/'

      CA is actually a Bash script with no extension in the file name,
      -and it is not a Perl script like

      So it can tutorial on this page executed by:

      cd /etc/pki/tls/misc

      ./CA -newca
      ./CA -newreq
      ./CA -sign


Leave a Comment