Your Own Certificate Authority

These days I am involve in developing X509 certificate store for Apache Rampart/C Web Services Security project which is the security module for Axis2/C Web Service Engine. This certificate store will use PKCS12 format file to store certificates. Before implementing certificate store I had to create my own CA (Certificate Authority) and Several Public and Private key pairs signed by my CA which will be used in testing the implementation. This little post will explain you some basic concepts of PKI and how to setup your own CA and generate certificates using OpenSSL.

What is Public Key Cryptography?

Public Key Cryptography is also know as asymmetric cryptography, is form of cryptography where users as pair of keys. One is private key other is public key. User keep private key as secret and publish the public key. These two keys are related mathematically, but the private key is cannot be derived using public key. A message encrypted with public key can only be decrypted using private key. This method is used to ensure the confidentiality. Private key is used to sign messages. Messages signed using senders private key can be verified by anyone who has access to the sender's public key. This ensure the authenticity. I am not going to talk more about public key cryptography, you can find more details on the internet.

What is Public Key Infrastructure?

According to the Wikipedia Public Key Infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). You can find more details from this link.

So according to the PKI , you must understand that we need a CA to issue certificates for the user. As the first step I will show you how to create your own certificate authority and after that I will show you how to issue certificates signed by that authority.

  1. Before acting as a CA, you need to have some files necessary for being a CA. You need to have your own private key and self signed certificate. Following command will generate these files for you, but you have to provide some information about your self.
    openssl req -x509 -out ca_cert.pem -newkey rsa:1024 -keyout ca_pkey.pem -days 365
    If you are not familiar with openssl tool, you will not understand what these options means. So here are the meanings of above options used with openssl tool. To learn more about the openssl tool you can use openssl man page in linux or this link.
    • req : Since you are requesting a requestinga certificate you have to use req command.

    • -x509 : This option will req command to generate self signed certificate rather than a certificate request as in normal case.

    • -out ca_cert.pem : The CA's certificate will write into this file.

    • -newkey rsa:1024 : Tell openssl to generate 1024-bit long RSA key along with this new certificate.

    • -keyout ca_pkey.pem : The CA's new private key will write into this file.

    • -days 365 : This certificate that we generated only valid for 365 days from now.