Custom CA using OpenSSL
CA private key
Section titled “CA private key”4096-bit RSA — CAs are long-lived, give them headroom:
openssl genrsa -out ca.key 4096CA root certificate
Section titled “CA root certificate”Self-signed root cert. -x509 outputs a certificate (not a CSR); -sha256 is
explicit — OpenSSL 3 defaults to it but stating it keeps the snippet portable
to older systems:
openssl req -new -x509 -sha256 -days ${{ DAYS }} -key ca.key -out ca.crt -subj "/C=${{ COUNTRY }}/ST=${{ STATE }}/L=${{ CITY }}/O=${{ ORG }}/OU=CA/CN=${{ ORG }} CA"Server private key
Section titled “Server private key”2048-bit RSA is fine for a leaf cert:
openssl genrsa -out server.key 2048Server CSR
Section titled “Server CSR”openssl req -new -sha256 -key server.key -out server.csr -subj "/C=${{ COUNTRY }}/ST=${{ STATE }}/L=${{ CITY }}/O=${{ ORG }}/OU=Server/CN=${{ DOMAIN }}"Sign the server CSR
Section titled “Sign the server CSR”With the CA (requires a CA directory layout: new_certs_dir, database,
serial in your openssl.cnf, or use a minimal config with -config):
openssl ca -md sha256 -in server.csr -out server.crt -keyfile ca.key -cert ca.crt -days ${{ DAYS }}Or, without a full CA setup:
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days ${{ DAYS }}