Skip to main content

Steps to create your own CA

We are going to be doing using an open source implementation of the TLS and HTTPS protocol known as OpenSSL

Installing OpenSSL:

On your Ubuntu/Debian Machine, type sudo apt install openssl, and press y to install it.

Once that is done, run the following commands:

Stuff is going to get pretty confusing so read everything carefully and I will try my best to explain it

Generating our own CA Certificate:

Even though I talked about a CA being a company and whatnot, and the end of the day, it is simply a certificate file. So here is how to create that CA file:

We first need to generate an RSA private key file for our Certificate Authority. This file is called ca-key.pem. It is private key of the CA.

openssl genrsa -aes256 -out ca-key.pem 4096

You will be prompted to enter a passphrase.

As this is the "signer" of our SSLs, it is important to keep this file safe, and thus when you are prompted to enter a passphrase, enter a secure one, and please do not forget it

Once that is done, and you enter ls, you should see the file.

We now need to create the public key file for our Certificate Authority. This is done by entering the following command:

openssl req -new -x509 -sha256 -days 5475 -key ca-key.pem -out ca.pem


  • req is to request the creation of a new Certificate Authority
  • -new specifies creation of a new CA
  • -x509 specifices the standard to use for creating the CA. x509 is the set standard for HTTPS and SSL certs
  • -sha256 specifies the encryption algorithm
  • -days 5475 specifies the duration that this CA is going to valid for. Set this to something long, as you will be installing this file in the Trusted Root Cert Store of devices
  • -key specifies the private key file to use, in this caseĀ ca-key.pem to create the public key
  • -out specifies the name of the output public key file. This is ca.pem

You will now have two files. One private key file for you CA and one public key file for your CA. Make your you don't lose these files.

And with that, you have created your very own Certificate Authority! Proceed to the next page to see how to create SSL certs that will be signed by your custom CA.