Openssl Ca Example

  1. Openssl Ca Example Paper
  2. Openssl Ca Startdate Example

Create and operate Public Key Infrastructures with OpenSSL.


This tutorial shows how to implement real-worldPKIs with the OpenSSL toolkit.


In the first part of the tutorial we introduce the necessary terms and concepts.The second part consists of examples, where we build increasingly moresophisticated PKIs using nothing but the openssl utility.The tutorial puts a special focus on configuration files, which are keyto taming the openssl command line. It also serves to promote what we havefound to be the most effective way of partinioning the configuration space:

Jun 29, 2017 $ openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout -days 730 -out Creating your own CA and using it to sign the certificates Normal certificates should not have the authorisation to sign other certificates. Openssl ca -in req.pem -out newcert.pem. Sign a certificate request, using CA extensions: openssl ca -in req.pem -extensions v3ca -out newcert.pem. Openssl ca -gencrl -out crl.pem. Sign several requests: openssl ca -infiles req1.pem req2.pem req3.pem. Certify a Netscape SPKAC: openssl ca -spkac spkac.txt.

  • One configuration file per CA, and
  • One configuration file per CSR type.

Please study the configuration files included in the examples, it’s where mostof the treasure is buried.

PKI Concepts¶

At its heart, an X.509 PKI is a security architecture that uses well-establishedcryptographic mechanisms to support use-cases like email protection and webserver authentication. In this regard it is similarto other systems based on public-key cryptography, for example OpenPGP [RFC 4880].In the realm of X.509 however, and thanks to its roots in a globe-spanningscheme devised by the telecom industry, these mechanisms come with a fairamount of administrative overhead.

One thing to keep in mind is that X.509 is not an application,but a specification upon which applications likeSecure Multipurpose Internet Mail Extensions (S/MIME) andTransport Layer Security (TLS) are based.The building blocks are very generic and derive most oftheir meaning from the relations that exist/are established between them.It’s called an infrastructure for a reason.


  1. A requestor generates a CSR and submits it to the CA.
  2. The CA issues a certificate based on the CSR and returns it to the requestor.
  3. Should the certificate at some point be revoked, the CA adds it to its CRL.


Public Key Infrastructure (PKI)
Security architecture where trust is conveyed through the signatureof a trusted CA.
Certificate Authority (CA)
Entity issuing certificates and CRLs.
Registration Authority (RA)
Entity handling PKI enrollment. May be identical with the CA.
Public key and ID bound by a CA signature.
Certificate Signing Request (CSR)
Request for certification. Contains public key and ID to be certified.
Certificate Revocation List (CRL)
List of revoked certificates. Issued by a CA at regular intervals.
Certification Practice Statement (CPS)
Document describing structure and processes of a CA.

CA Types¶

Root CA
CA at the root of a PKI hierarchy. Issues only CA certificates.
Intermediate CA
CA below the root CA but not a signing CA. Issues only CA certificates.
Signing CA
CA at the bottom of a PKI hierarchy. Issues only user certificates.

Certificate Types¶

CA Certificate
Certificate of a CA. Used to sign certificates and CRLs.
Root Certificate
Self-signed CA certificate at the root of a PKI hierarchy.Serves as the PKI’s trust anchor.
Cross Certificate
CA certificate issued by a CA external to the primary PKI hierarchy.Used to connect two PKIs and thus usually comes in pairs. [1]
User Certificate
End-user certificate issued for one or more purposes:email-protection, server-auth, client-auth, code-signing, etc.A user certificate cannot sign other certificates.


[1]The RFC classifies any CA-signs-CA scenario as cross-certification,to distinguish it from self-issuing.Outside of specs however, the term normally only refers to inter-PKIcross-certification.

File Formats¶

Privacy Enhanced Mail (PEM)
Text format. Base-64 encoded data with header and footer lines.Preferred format in OpenSSL and most software based on it (e.g. Apachemod_ssl, stunnel).
Distinguished Encoding Rules (DER)
Binary format. Preferred format in Windows environments. Also theofficial format for Internet download of certificates and CRLs.


Openssl ca example

The examples are meant to be done in order, each providing the basis forthe ones that follow.They are deliberately low on prose, we prefer to let the configuration filesand command lines speak for themselves.

You will find a reference section at the bottom of each page, withlinks to relevant parts of the OpenSSL documentation. Please use the linksfor details on command line options and configuration file settings.

Note: You need at least OpenSSL 1.0.1. Check with:

Simple PKI¶

In this example we create the simplest possible PKI: One root CA and onesigning CA.We use the CA to issue two types of user certificates.

Advanced PKI¶

In this example we create a larger setup, consisting of a root CA and threesigning CAs.We use the CAs to issue 4 different types of user certificates.We also encounter two new certificate extensions: authorityInfoAccess andcrlDistributionPoints.

Openssl Ca Example Paper

Openssl ca gencrl

Expert PKI¶

In this example we create a 3-tier CA hierarchy: One root CA, one intermediateCA, and two signing CAs.We use the CAs to issue 6 types of user certificates.We introduce certificate policies and the certificatePolicies extension.We also show how to configure an OCSP responder.


MIME Types¶

This section takes a closer look at the MIME types and file extensionsused.

CA Database¶

This section examines the format of the CA database.

Openssl Ca Example

Openssl Ca Startdate Example


RFC 5280
Internet X.509 Public Key Infrastructure Certificateand Certificate Revocation List (CRL) Profile
RFC 2585
Internet X.509 Public Key InfrastructureOperational Protocols: FTP and HTTP
RFC 5750
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2Certificate Handling
RFC 6125
Representation and Verification of Domain-Based Application ServiceIdentity within Internet Public Key Infrastructure Using X.509 (PKIX)Certificates in the Context of Transport Layer Security (TLS)
Baseline Requirements [pdf, opens in browser]
CA/Browser Forum Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates
X.509 Recommendation [pdf, direct download]
ITU-T X.509 Public-Key and Attribute Certificate Frameworks Recommendation
OpenSSL TEST CA [pdf, direct download]
Carillon Information Security: How to Set Up an OpenSSL TEST CA forInteroperability Testing with CertiPath