Setup your own CA

sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox

tested with LibreSSL 3.3.1


We need the default_ca section to be there, and the nicer/lighter LibreSSL template does not have any.

which openssl
openssl version

So let us grap a sample

cd /etc/ssl/
wget -O - > openssl.sample

and add the required fields as such

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openss.cnf

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = ./
certs           = $dir
crl_dir         = $dir
database        = $dir/index.txt
new_certs_dir   = $dir
certificate     = $dir/ca.crt
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/ca.crl
private_key     = $dir/ca.key
RANDFILE        = $dir/.rand
x509_extensions = usr_cert
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 365
default_crl_days= 30
default_md      = default
preserve        = no
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
nsComment       = "LibreSSL Generated Certificate"

note we’ve modified a few fields from the sample, namely

dir             = ./
new_certs_dir   = $dir
crl_dir         = $dir
new_certs_dir   = $dir
certificate     = $dir/ca.crt
private_key     = $dir/ca.key
crl             = $dir/ca.crl

nsComment       = "LibreSSL Generated Certificate"

this field looks interested as well

[ usr_cert ]
# nsCertType = server
# nsCertType = client, email

Get a CA

on the CA node

Generate a privkey. Yes we want a passphrase here.

mkdir -p /etc/ssl/ORG-ROOT-CA/
cd /etc/ssl/ORG-ROOT-CA/
openssl genrsa -aes256 -out ca.key 4096
chmod 400 ca.key

generate a CSR for the CA itself and sign it

# openssl req -new -key ca.key -out ca.csr
# openssl req -in ca.csr -text -noout -verify
# openssl x509 -req -days 7300 -sha256 -in ca.csr -signkey ca.key -out ca.crt

–or– request and sign AT ONCE

openssl req -new -key ca.key -out ca.crt -x509 -days 7300 -sha256


Nethence Systems
Nethence Root CA (jan2021)

add CRL and concat

echo -ne 00 > crlnumber
openssl ca -gencrl -out ca.crl
cp -pi ca.crt ca.crt.wocrl
cat ca.crl >> ca.crt

and review the resulting CA certificate and CRL

openssl x509 -in ca.crt -text -noout | less
openssl crl -in ca.crt -text -noout | less

Server or client CSR

on some server or client node

Now generate a CSR for some server or client.

I recommend to avoid a passphrase over here, as it would require human interaction to restart the network service or launch the client application.

openssl genrsa -out HOST-OR-USER.key 2048
# -aes256 if you really want a passphrase
chmod 400 HOST-OR-USER.key

generate a request

openssl req -key HOST-OR-USER.key -new -sha256 -out HOST-OR-USER.csr

some fields need to match with the CA e.g. Organization Name, as defined previously in openssl.cnf. no need for extra attributes (challenge password nor company name)


chmod 444 HOST-OR-USER.csr

and send the CSR to the CA owner, somehow. It is not confidential, just like a public certificate.

openssl req -in HOST-OR-USER.csr -noout -text -verify

Serve some certs

on the CA node

sign the request with your root CA

touch index.txt
echo 01 > serial

openssl ca -days 375 -notext -md sha256 -in HOST-OR-USER.csr -out HOST-OR-USER.crt
chmod 444 HOST-OR-USER.crt

tail index.txt
tail serial


openssl x509 -in HOST-OR-USER.crt -text -noout
openssl verify -CAfile ca.crt HOST-OR-USER.crt



ca - sample minimal CA application

Certificate signing request

OpenSSL tips and tricks

How To Setup a CA

How to get HTTPS working in localhost development environment

Setting up an SSL secured Webserver with CentOS




Easy-RSA 3