"openssl ca" - CA Signing Certificate

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"openssl ca" - CA (Certificate Authority) Tool

∟"openssl ca" - CA Signing Certificate

This section describes the 'openssl ca' command, which allows you to sign a CSR (Certificate Signing Request) into a certificate as a CA (Certificate Authority).

What Is "openssl ca" Command? "openssl ca" is an OpenSSL command for CA (Certificate Authority) to sign a CSR (Certificate Signing Request) into a certificate.

Since a large number of options are supported, the "openssl ca" command requires a configuration file to provide default option values. The default configuration file is called openssl.cnf and located in the OPENSSLDIR directory set during installation. Here is how to find the default openssl.cnf:

# Show the OPENSSLDIR setting
herong$ openssl version -a

OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
built on: Tue Jan 30 17:17:41 2024 UTC
platform: linux-x86_64
OPENSSLDIR: "/etc/ssl"
...

# Look at the default openssl.cnf 
herong$ more /etc/ssl/openssl.cnf 

# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
...

[ ca ]
dir		= ./demoCA		# Where everything is kept
...

OpenSSL also uses several files listed below for CA to track each certificate being signed. The default directory for these files is ./demoCA as specified in the default openssl.cnf.

./demoCA/serial          CA serial number file
./demoCA/serial.old      CA serial number backup file
./demoCA/index.txt       CA text database file
./demoCA/index.txt.old   CA text database backup file
./demoCA/certs           certificate output file
./demoCA/.rnd            CA random seed information