Pivotal Knowledge Base


VMware: How to Create Self-Signed Root Certificate Authority (CA)



This article demonstrates how to create our own self-signed root Certificate Authority (CA) that can be used to sign other certificates.


What is a self-signed certificate?

A self-signed certificate is certificate that is signed by itself other than a trusted CA commercial vendor, self-signed root CA or intermediate CA.  All root CA certificates are self-signed.

Why create our own self-signed root CA?

Here are some of the reasons why we would want to create our own root Certificate Authority (CA):

  • We want to maintain and distribute our own free certificates without having to pay for certificate signed by a trusted commercial CA.
  • We have large number of secure intranet services across our organization that requires a few certificates, and our users don't mind having to import our root certificate.
  • We have large number development servers that don't need commercial trusted CA.

 We will be using openssl program to create self-signed root certificate authority (CA). You will need to have openssl installed before moving on to the next steps.

1)  Create directories to hold our root CA files.

> mkdir -p /home/someuser/ssl/root-ca/{conf,public,crl,newcerts,private}

2)  Create a custom openssl configuration settings.

 Create a custom root-ca.cnf openssl configuration file from the default openssl.cnf file.

> cp /path/to/default/openssl.cnf  /home/someuser/ssl/root-ca/conf/root-ca.cnf

Modify some default openssl settings in root-ca.cnf file according to your environment.

> vi /home/someuser/ssl/root-ca/conf/root-ca.cnf

# Tells openssl where we keep all the files (crt, key, crl, and etc).
[ CA_default ]
dir             = /home/someuser/ssl/root-ca      # Where everything is kept
certificate     = $dir/public/root-ca.crt       # The CA certificate
crl             = $dir/root-ca.crl              # The current CRL
private_key     = $dir/private/root-ca.key      # The private key

# What default bits and private key file to use.
[ req ]
default_bits            = 2048
default_keyfile         = root-ca.key

# What default distinguished name info to use for each entries
# to help minimize manual input when creating certificate file.
[ req_distinguished_name ]
countryName_default             = US
stateOrProvinceName_default     = California
localityName_default            = SF
0.organizationName_default      = Pivotal
organziastionUnitName_default   = TSE
commonName_default              = My Root CA
emailAddress_default            = root@localhost

For complete example of our default and custom openssl configuration settings, please see the attached default openssl.cnf and the custom root-ca.cnf configuration files.

3)  Create a serial number and empty database index files in /home/someuser/ssl/root-ca directory.

> cd /home/someuser/ssl/root-ca

> echo "01" > serial

> touch index.txt

4) Create the self-signed root Certificate Authority (CA).

Generate a 2048-bit RSA private key:

> openssl genrsa -des3 -out private/root-ca.key 2048

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for private/root-ca.key:
Verifying - Enter pass phrase for private/root-ca.key:

Generate a self-signed certificate valid for 100 years:

>  openssl req -new -x509 -nodes -sha1 -days 36500 -key private/root-ca.key -out public/root-ca.crt -config conf/root-ca.cnf
Enter pass phrase for private/root-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [SF]:
Organization Name (eg, company) [Pivotal]:
Organizational Unit Name (eg, section) [TSE]:
Common (Server) Name (eg, www.example.com) [My Root CA]:
Email Address [root@localhost]:

Verify the contents of root CA certificate:

> openssl x509 -text -noout -in public/root-ca.crt | grep CN


Issuer: C=US, ST=California, L=SF, O=Pivotal, OU=TSE, CN=My Root CA/emailAddress=root@localhost
Subject: C=US, ST=California, L=SF, O=Pivotal, OU=TSE, CN=My Root CA/emailAddress=root@localhost
DirName:/C=US/ST=California/L=SF/O=Pivotal/OU=TSE/CN=My Root CA/emailAddress=root@localhost

Notice the common name (CN=My Root CA) in the Issuer, Subject and DirName lines are all the same, which tell us this is a self-signed root certificate.

Sometime we need to verify the certificate is generated from a corresponding private key another not some other key.  To do this, we need to check the modules of the private key and certificate as follows:

> openssl rsa -noout -modulus -in private/root-ca.key | openssl md5

Enter pass phrase for root-ca/private/root-ca.key:

> openssl x509 -noout -modulus -in public/root-ca.crt | openssl md5


Notice both md5 checksum matches, so we know the certificate and key should work together.

Now we have a self-signed root CA. The private key and certificate with public key can be used to sign other certificates.  It is very important that we keep the CA private key and passphrase secure, because if the private key is compromised, all signed certificates cannot be trusted.


References / Additional Information

SSL Certificates HOWTO - http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
OpenSSL - http://www.openssl.org/


©VMware 2013


Powered by Zendesk