1.5 Creating a Private Certification Authority
If you want to set up your own CA, everything you need is already included in OpenSSL. The user interface is purely command line–based and thus not very user friendly, but that’s possibly for the better. Going through the process is very educational, because it forces you to think about every aspect, even the smallest details.
The educational aspect of setting a private CA is the main reason why I would recommend doing it, but there are others. An OpenSSL-based CA, crude as it might be, can well serve the needs of an individual or a small group. For example, it’s much better to use a private CA in a development environment than to use self-signed certificates everywhere. Similarly, client certificates—which provide two-factor authentication—can significantly increase the security of your sensitive web applications.
The biggest challenge in running a private CA is not setting everything up but keeping the infrastructure secure. For example, the root key must be kept offline because all security depends on it. On the other hand, CRLs and OCSP responder certificates must be refreshed on a regular basis, which requires bringing the root online.
As you go through this section you will create two configuration files: one to control the root CA (root-ca.conf
) and another to control the subordinate CA (sub-ca.conf
). Although you should be able to do everything from scratch just by following my instructions, you can also download the configuration file templates from my GitHub account.1 The latter option will save you some time, but the former approach will give you a better understanding of the work involved.