How To Create CA and Generate SSL/TLS Certificates & Keys

This guide explains the process of creating CA keys and certificates and use them to generate SSL/TLS certificates & keys using SSL utilities like openssl and cfssl.

Terminologies used in this article:

  1. PKI – Public key infrastructure
  2. CA – Certificate Authority
  3. CSR – Certificate signing request
  4. SSL – Secure Socket Layer
  5. TLS – Transport Layer Security

Certificate Creation Workflow

Following are the steps involved in creating CA, SSL/TLS certificates.

  1. CA Key and Certificate Creation
    1. Generate a CA private key file using a utility (OpenSSL, cfssl etc)
    2. Create the CA root certificate using the CA private key.
  2. Server Certificate Creation Process
    1. Generate a server private key using a utility (OpenSSL, cfssl etc)
    2. Create a CSR using the server private key.
    3. Generate the server certificate using CA key, CA cert and Server CSR.

Also Read: Types of SSL/TLS Certificates Explained

In this guide, we will explain the steps required to create CA , SSL/TLS certificates using the following utilities.

  1. openssl
  2. cfssl

This guide is focussed on creating your own CA , SSL/TLS certificates. It is meant for development or to use within an ornaziational network where everyone can install the root CA certificate that you provide. For usage in public (internet) facing services, you should consider using any of the available third party CA services like Digicert etc.

Generating Certificates Using CFSSL & CFSSLJSON

CFSSL & CFSSLJSON are PKI tools from Cloudflare. It makes your life so easy for generating CSRs and certificate keys.

Install CFSSL and CFSSLJSON on Linux

1. Download the executables and save it to /usr/local/bin

2. Add execute permissions to the downloaded executables.

3. Verify the installation by executing the cfssl command.

You should get the following output.

Generate CA Certificate and Key

Step 1: Create a folder named cfssl to hold all the certificates and cd into the folder.

Step 2: Create a ca-csr.json file with the required information.

You can check the supported values for csr and config using the following commands.

Step 2: Create the CA key and cert file (ca-key.pem & ca.pem ) using the ca-csr.json file.

Step 3:  Create a ca-config.json with signing and profile details. This will be used to create server or client certificates that can be used to set up SSL/TSL based authentication.

Generate SSL/TLS Certificates

Step 1: Create a server-csr.json with your server details.

Note: hosts entry in the json should contain the server DNS or Public/Private IP address, hostnames, local DNS etc based upon the interface you want to receive the authentication requests. For example, you could have a server with TLS authentication over public internetes and private network within the organisation.

Step 2: Now create the server SSL certificates using CA keys, certs and server csr. This will create server-key.pem (Private key) and server.pem (Certificates) files.

Generating Certificates Using OpenSSL

Openssl utility is present by default on all Linux and Unix based systems.

Generate CA Certificate and Key

Step 1: Create a openssl directory and CD in to it.

Step 2: Generate the CA private key file.

Step 3: Generate CA x509 certificate file using the CA key. You can define the validity of certificate in days. Here we have mentioned 1825 days.

Following command will prompt for the cert details like command name, location, country etc.

Or , you can pass these information in the command as well as shown below.

Generate SSL/TLS Certificates

Step 1: Create a server private key

Step 2: Create a configuration file named csr.conf for generating the Certificate Signing Request (CSR) as shown below. Replace the values as per your needs.

alt_names should contain your servers DNS where you want to use the SSL. Also add all the IPs associated with the server if clients use the IP to connect to the server over SSL.

Step 3: Generate the CSR using the private key and config file.

Step 4: Generate the server SSL certificate using ca.key, ca.crt and server.csr



Types of SSL/TLS Certificates Explained

In this guide, we have explained the different types of SSL/TLS certificates with its use cases. Terms Used: CA…

Read more
hashicorp vault setup guide

In this guide, you will learn the latest Hashicorp vault setup using step by step instructions. The backend for vault…

Read more

The Best Tutorials & Tips to Speedup Your DevOps Workflow.

Created by Bibin Wilson.