• Home
  • |
  • Blog
  • |
  • How To Set Up A Certificate Authority On Ubuntu Using OpenSSL?
How to Set Up a Certificate Authority on Ubuntu

A Certificate Authority is an entity in PKI whose responsibility is to issue, revoke, and maintain the database of digital certificates used to prove the identity of the object over a public or private network. Public CAs (Certificate Authority) are predominantly used to verify the identities of the websites and other web services. However, medium to large size organizations uses their own private CAs on their internal network to secure their network infrastructure. This post will guide you how to set up a Certificate Authority on Ubuntu using a built-in utility called OpenSSL. We also cover how to create a CSR (Certificate Signing Request) and issue a certificate on using your new CA for the CSR. Let’s begin.

What Is A PKI System?

Public Key Infrastructure, in short PKI, is a set of hardware, software, encryption technologies, and services used to create, manage, distribute, use, store and revoke digital certificates. The main purpose of the PKI system is to provide secure communication across the network by verifying the identities of legitimate resources.

What Is Certificate Authority?

A Certificate Authority is one of the main entities in PKI, whose responsibility is to issue, revoke, and maintain the database of digital certificates which are used to prove the identity of the object over a public or private network. The primary role of the CA is to digitally sign and publish a public key (certificate) bound to a given user, machine, application, and entity. 

Note: PKI is itself often used as a synonym for a CA implementation. Moreover, the term trusted third party (TTP) might also be used for certificate authority (CA).

What Is OpenSSL?

OpenSSL is a robust, commercial-grade, and full-featured software library which offers Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services for applications. OpenSSL can be used in various tasks. It can be used to create cryptographic keys (private and public key pair), it can use be used as a full-stack Certificate Authority CA to issue the requested certificates. Moreover, it can also be used to generate self-signed and code signed certificates too. However, In this post, You will learn how to set up a Certificate Authority using OpenSSL.

OpenSSL is an open-source and cross-platform application available for Linux, Windows, macOS, and BSD systems. You can set up a Certificate Authority on any platform on which you will have OpenSSL.

Prerequisites To Set Up A Certificate Authority On Ubuntu

The prerequisites required to set up a certificate authority are very minimal. You just need a physical or virtual machine running Ubuntu. Anyways, OpenSSL is included in the default packages, so you may not be required to install it. You can make sure of the installation of OpenSSL by checking its version command.

$ openssl version -a

If in case you don’t see OpenSSL installed on your Ubuntu. Run this command to install OpenSSL on Ubuntu.

$ sudo apt install openssl 

Procedure To Set Up A Certificate Authority On Ubuntu

How to set up a certificate authority on Ubuntu?

  1. Update the repository in Ubuntu

    Start the process with repository and system upgrade.

    $ sudo apt update && sudo apt upgrade

    $ sudo apt update && sudo apt upgrade

  2. Install NTP on Ubuntu

    Run this command to install NTP on Ubuntu:

    $ sudo apt install ntp

    You can see the list of NTP servers your machine sync with. Run this command to see the list.

    $ ntpq -p


    Install NTP on Ubuntu

  3. Create files and folders to set up certificate authority on ubuntu

    It is better to organize the new CA with dedicated folders. Let’s create some directories and files required to set up certificate authority on Ubuntu.

    Create a directory that serves as the root directory for the CA.
    $ sudo mkdir /root/ca/

    Create five more directories underneath ‘ca’ directory.

    Create ‘certs’ directory to store issued certificates.
    $ sudo mkdir /root/ca/certs/

    Create ‘CRL’ directory to store Certificate Revocation List.
    $ sudo mkdir /root/ca/crl/

    Create optional directory ‘newcerts’ to store new certificates.
    $ sudo mkdir /root/ca/newcerts/

    Create a directory ‘private’ to store private keys.
    $ sudo mkdir /root/ca/private/

    Create a dedicated directory ‘requests’ to store certificate requests or CSRs.
    $ sudo mkdir /root/ca/requests/

    Create ‘index.txt’ which act as a database for issued certificates.
    $ sudo touch /root/ca/index.txt

    Create an empty file named ‘serial’ which stores the next serial number of the certificate. Switch to superuser mode to create the file.
    $ sudo su
    # echo ‘1000’ > /root/ca/serial

    Note: 1000 is just a seed number to start the certificate counter. You can assign your own number to start with.

    At last, enable permission restriction on these files and folders so that only the owner can modify them.
    # chmod 600 /root/ca

    Create files and folders to set up certificate authority on ubuntu

  4. Create a private of the CA’s certificate


    Navigate to the ca directory.
    # cd /root/ca/

    Run this OpenSSL command to create a RSA private key cakey.pem of length of 4096 bits for CA’s certificate.
    # openssl genrsa -aes256 -out private/cakey.pem 4096

    Note: It asks to set a passphrase to secure the key. Use complex if you are working in production.

    Create a private of the CA's certificate

  5. Create a public certificate for the CA using the private key created in the previous step

    Run this command to create a certificate that expires in 3650 days.

    # openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650


    It asks few details with the passphrase of the private key. Enter all the details to generate CA’s certificate. Make a note of the details. Because the same information is required to create CSR for other certificates.

    ountry Name (2 letter code) [AU]:IN
    State or Province Name (full name) [Some-State]:KARNATAKA
    Locality Name (eg, city) []:BENGALURU
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:THESECMASTER
    Organizational Unit Name (eg, section) []:IT-SECURITY
    Common Name (e.g. server FQDN or YOUR name) []:thesecmaster.com
    Email Address []:[email protected]

    Create a public certificate for the CA

  6. Update the CA path in openssl.cnf

    openssl.cnf is the file where you need to set the important configurations required to run the CA.

    Open the configuration file using any text editor application. We are using nano text editor in the demonstration.

    # nano /usr/lib/ssl/openssl.cnf

    Scroll down the file to the [ CA_default ] section. Update the CA path.

    [ CA_default ]
    dir = /root/ca # Where everything is kept




    Update the CA path in openssl.cnf

  7. Other configurations in openssl.cnf

    You can scroll down to verify other configurations. save the file Ctrl+o. Exit the file Ctrl+x.

    This completes the procedure to set up Certificate Authority on Ubuntu. Your CA is ready to issue the certificates.

    Other configurations in openssl.cnf

  8. Create a Certificate Signing Request for demonstration

    The private key is one of the must-have entities to create a CSR. The creation of a private key is included as a sub-process in the same command. Just use this command to create a CSR for the exampledomain.com domain.

    # cd requests/
    # openssl req -new -newkey rsa:2048 -nodes -keyout exampledomain.com.key -out exampledomain.com.csr


    Let’s break down the command to understand.
    openssl req: It denotes a new openssl request.
    new: New request
    newkey rsa:2048: It creates a 2048-bit RSA key
    nodes: It dosen’t encrypt the key which is not recommended. We are showing this just for demo.
    keyout: It takes the private key as an argument and send that key to the CSR file example.com.csr
    out: This writes the CSR to a file. example.com.csr in our demo


    Create a Certificate Signing Request

  9. Issue the certificate for the CSR created in the previous step.

    Command to issue the certificate.

    # openssl ca -in exampledomain.com.csr -out exampledomain.com.crt


    Issue the certificate

  10. Certificate issued for exampledomain.com.



    Certificate issued for exampledomain.com

  11. rootca cerrificate and exampledomain certificate

    RootCA certificate is valid for 10 years. and exampledomain.com valid for 1 year.

    Note: Certificates are not trusted on Windows machine as root certificate is not imported.

    rootca cerrificate and exampledomain certificate

  12. Certificates after import on the Windows machine



    Certificates after import

This completes the procedure to set up Certificate Authority on Ubuntu.

Thanks for reading the tutorial post. We would encourage to try this and share comments. Let’s know for any queries. We are happy to answer.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.