Skip to content

Custom CA using OpenSSL

4096-bit RSA — CAs are long-lived, give them headroom:

Terminal window
openssl genrsa -out ca.key 4096

Self-signed root cert. -x509 outputs a certificate (not a CSR); -sha256 is explicit — OpenSSL 3 defaults to it but stating it keeps the snippet portable to older systems:

Terminal window
openssl req -new -x509 -sha256 -days ${{ DAYS }} -key ca.key -out ca.crt -subj "/C=${{ COUNTRY }}/ST=${{ STATE }}/L=${{ CITY }}/O=${{ ORG }}/OU=CA/CN=${{ ORG }} CA"

2048-bit RSA is fine for a leaf cert:

Terminal window
openssl genrsa -out server.key 2048
Terminal window
openssl req -new -sha256 -key server.key -out server.csr -subj "/C=${{ COUNTRY }}/ST=${{ STATE }}/L=${{ CITY }}/O=${{ ORG }}/OU=Server/CN=${{ DOMAIN }}"

With the CA (requires a CA directory layout: new_certs_dir, database, serial in your openssl.cnf, or use a minimal config with -config):

Terminal window
openssl ca -md sha256 -in server.csr -out server.crt -keyfile ca.key -cert ca.crt -days ${{ DAYS }}

Or, without a full CA setup:

Terminal window
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days ${{ DAYS }}