Private Certification Authority (CA)

Create the private key and certificate pair.

1. Download OpenSSL binaries from the following link if you are using windows:

   https://slproweb.com/products/Win32OpenSSL.html

2. Create a ca.cnf file using the following template:

   [ req ]
   default_bits        = 2048
   default_keyfile     = private.pem
   distinguished_name  = subject
   req_extensions      = req_ext
   x509_extensions     = x509_ext
   string_mask         = utf8only
   
   # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
   #   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
   [ subject ]
   countryName         = Country Name (2 letter code)
   countryName_default     = <2_LETTER_COUNTRY_CODE>
   
   stateOrProvinceName     = State or Province Name (full name)
   stateOrProvinceName_default = <STATE_NAME>
   
   localityName            = Locality Name (eg, city)
   localityName_default        = <CITY_NAME>
   
   organizationName         = Organization Name (eg, company)
   organizationName_default    = <ORGANIZATION_NAME>
   
   organizationalUnitName         = Organizational Unit (eg, section)
   organizationalUnitName_default = <ORGANIZATIONAL_UNIT>
   
   # Use a friendly name here because it's presented to the user. The server's DNS
   #   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
   #   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
   #   must include the DNS name in the SAN too (otherwise, Chrome and others that
   #   strictly follow the CA/Browser Baseline Requirements will fail).
   commonName          = Common Name (e.g. server FQDN or YOUR name)
   commonName_default      = <YOUR_NAME>
   
   emailAddress            = Email Address
   emailAddress_default        = <YOUR_EMAIL_ADDR>
   
   # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
   [ x509_ext ]
   
   subjectKeyIdentifier        = hash
   authorityKeyIdentifier    = keyid,issuer
   
   basicConstraints        = CA:TRUE
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   nsComment           = "Private CA"
   
   # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
   [ req_ext ]
   
   subjectKeyIdentifier        = hash
   
   basicConstraints        = CA:true
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   nsComment           = "Private CA"

   Replace the following fields on the template:

   Field Name	Description
   2_LETTER_COUNTRY_CODE	The two letter code of your country.
   STATE_NAME	The name of your state.
   CITY_NAME	The name of your city.
   ORGANIZATION_NAME	The name of your organization.
   ORGANIZATIONAL_UNIT	The name of your section in the organization.
   YOUR_NAME	Your full name or anything that represents you as a CA.
   YOUR_EMAIL_ADDR	Your email address.

   Example:

   [ req ]
   default_bits        = 2048
   default_keyfile     = private.pem
   distinguished_name  = subject
   req_extensions      = req_ext
   x509_extensions     = x509_ext
   string_mask         = utf8only
   
   # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
   #   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
   [ subject ]
   countryName         = Country Name (2 letter code)
   countryName_default     = NZ
   
   stateOrProvinceName     = State or Province Name (full name)
   stateOrProvinceName_default = Wellington
   
   localityName            = Locality Name (eg, city)
   localityName_default        = Wellington
   
   organizationName         = Organization Name (eg, company)
   organizationName_default    = My Company
   
   organizationalUnitName         = Organizational Unit (eg, section)
   organizationalUnitName_default = IT Department
   
   # Use a friendly name here because it's presented to the user. The server's DNS
   #   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
   #   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
   #   must include the DNS name in the SAN too (otherwise, Chrome and others that
   #   strictly follow the CA/Browser Baseline Requirements will fail).
   commonName          = Common Name (e.g. server FQDN or YOUR name)
   commonName_default      = Ronaldo Webb CA APR 2021
   
   emailAddress            = Email Address
   emailAddress_default        = ron@ronella.xyz
   
   # Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
   [ x509_ext ]
   
   subjectKeyIdentifier        = hash
   authorityKeyIdentifier    = keyid,issuer
   
   basicConstraints        = CA:TRUE
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   nsComment           = "Private CA"
   
   # Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
   [ req_ext ]
   
   subjectKeyIdentifier        = hash
   
   basicConstraints        = CA:true
   keyUsage            = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
   nsComment           = "Private CA"

3. Generate a private key using the following command:

   openssl genrsa -out ca.key.pem 2048

4. Generate a certificate with a validity of 10 years from the private key using the following command:

   openssl req -x509 -sha256 -new -nodes -key ca.key.pem -days 3650 -out ca.cert.crt -config ca.cnf

Viewing the generated certificate

1. View the generated certificate using the following command:

   openssl x509 -in ca.cert.crt -text