Using OpenSSL as a Certificate Authority - ported from my old wiki. See also my OpenSSL certficiates in a nutshell post for client-level certficiate handling.

With any of the openssl ca commands add -name <name of ca section> to the command (unless using a default):

openssl ca -name SomeCA -config conf/MyCA.cnf ...

Day-to-day usage

Signing a certificate

This is by far the easiest bit:

# Always verify the certificate request and make sure there's nothing dangerous, like someone trying to trick you into signing a CA certificate
openssl req -verify -text -noout -in "csr/$CN.csr"
openssl ca -name "ca_intermediate_$CA" -notext -out "certs/$CA/$CN.pem" -config "conf/openssl.cnf" -infiles "csr/$CN.csr"

Revoke a certificate

openssl ca -name "ca_intermediate_$CA" -revoke "certs/$CA/$CN.pem" -crl_reason unspecified -config "conf/openssl.cnf"
rm "certs/$CA/$CN.pem"

Where crl_reason can be one of:

  • unspecified
  • keyCompromise
  • CACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
  • removeFromCRL

Generating the CRL

Again, dead easy:

openssl ca -name "ca_intermediate_$CA" -config conf/openssl.cnf -gencrl -out crl/$CA.crl.pem


See OpenSSL CA Setup