Create OpenSSH CA

This is how to create your own OpenSSH Certification Authority (CA) for signing your certificates.
I used a debian system with openSSH installed on it.

First you have to create the CA itself. On your Linux system with OpenSSH installed open the following config file.

# vim /usr/lib/ssl/openssl.cnf

Look for the [CA_default] paragraph and change the „dir“ to /root/ca

dir = /root/ca

Now we have to prepare our filesystem where the keys and certificates will be stored. Use the following snipplet to create the folders.

# mkdir /root/ca
# cd /root/ca
# mkdir newcerts certs crl private requests

The CA should always be secured properly. Therefore adjust the permissions, that only an elevated user can access the files and keys. In this case I’ll use the root user, however this should be avoided in a productive enviroinment

# chmod -R 600 /root/ca

In the /root/ca directory we also have to create a DB (index.txt) for the certificates. Details about signed certificates will be stored in this file. Then we need a file (serial) that keeps track of the certificate ID. The ID increments with every signed cerrtificate. We can also set a „base ID“ which will be used for the first certificate.

# touch index.txt
# echo '1234' > serial

After this inital setup we can start with creating the CA certificate. First we have to create the private key. Please write down the password!

# openssl genrsa -aes256 -out private/cakey.pem 4096

Now we can create the root CA certificate with this private key. This certificate will be valid for 10 years

# openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0

Now that we have the root CA certificate, we can start signing our own certificate signing requests. We start again with a private key.

# openssl genrsa -aes256 -out private/some_serverkey.pem 2048

Then we create a CSR with this key

# openssl req -new -key private/some_serverkey.pem -out requests/some_server.csr

And now we sign the CSR with our root CA certificate to make it valid

# openssl ca -in requests/some_server.csr -out certs/some_server.pem

If a certificate should be revoked and therefore be invalidated, use the following command

# openssl ca -revoke <path/to/cert>