README.md

Zabacad's certificate authority

This is a set of OpenSSL commands and configurations for creating a private certificate authority (CA) and issuing certificates.

Why operate a CA?

Obtaining publicly-signed certificates is now free though Let's Encrypt or included with cloud services such as AWS's Certificate Manager (ACM).

There are still reasons to run a private CA:

• Client certificates
• Certificates for private DNS
• Bogus certificates for testing
• MITM proxies

Requirements

This guide is for OpenSSL 1.1.1. Check the version with openssl version.

Some commands assume Bash/Linux.

The CA

1. Generating the root certificate
2. Generating an intermediate certificate
3. Trusting the CA

Certificates

1. Generating certificate signing requests
2. Issuing certificates
3. Installing certificates

More

• Private keys
• Troubleshooting
• Client TLS -- For authentication both ways.

Future work

Warning: CAs cannot be modified. Any future changes require a rebuild.

• Revoking certificates: CRLs, OCSP, and OCSP stapling.