Gentoo Wiki


If one has a small network or even only 1 computer, and need to do things with TLS/SSL, often one just creates a self-signed for each computer as needed. This works, but you be your own certificate authority and make this process much easier.

Unfortunately, Linux doesn't (yet) have GUI to make it "point-and-click" easy, so one has to use the command prompt. There are 2 tools one can use: OpenSSL or GNUTLS.


Preparatory Procedure

You do not have to be root to generate certificates. Because we will be generating sensitive key material, I recommend the process be done on an inexpensive flash drive/card (an 8 MB card is fine). Otherwise, you can use your home directory.

In either case, for this example, we will create a pki directory with 2 more subdirectories under it: certs and keys

Shell: Using bash
  mkdir -p pki/certs pki/keys
  cd pki


If you do not have GNUTLS install, emerge it

emerge -av net-libs/gnutls

Note that gnutls is missing some functionally compared to openssl, the remaining functions (revocation,private key encryption) have to by done by app-crypt/gnupg >= 1.9, with the "gpg2-experimental". Unfortunately app-crypt/gnupg >= 2.0 is not yet stable. Guntls is easier to use than openssl, however.

Create a private key

certtool -p --bits 1024 --outfile keys/ca.pem

Note: This could take several minutes. The process will stall if there not enough entropy available
Tip: Typing and moving the mouse increases the amount of entropy available in the entry pool
Warning: This key is vital - if gets lost or compromised, you are totally hosed. Therefore, keep at least 1 unencrypted copy of the key somewhere safe - like a small flash card stored in a locked cabinet or safety deposit box. They key should be encrypted elsewhere, unfortunately certtool doesn't support this

Create the certifcate, using the new key

certtool --load-privkey keys/ca.pem --generate-self-signed --outfile certs/ca.crt You will then be asked some questions:

Shell: Using certtool
 Generating a self signed certificate...
 Please enter the details of the certificate's distinguished name. Just press enter to ignore a             field.
 Country name (2 chars): 
 Organization name: 
 Organizational unit name: 
 Locality name: 
 State or province name: 
 Common name: 
 This field should not be used in new certificates.
 Enter the certificate's serial number (decimal):

 Activation/Expiration time.
 The certificate will expire in (days): 

 Does the certificate belong to an authority? (Y/N):
 Is this a TLS web client certificate? (Y/N):
 Is this also a TLS web server certificate? (Y/N):
 Enter the e-mail of the subject of the certificate:
 Will the certificate be used to sign other certificates? (Y/N):
 Will the certificate be used to sign CRLs? (Y/N):
 Will the certificate be used to sign code? (Y/N):
 Will the certificate be used to sign OCSP requests? (Y/N):
 Will the certificate be used for time stamping? (Y/N):
 Enter the URI of the CRL distribution point: 

The important question here are:

Common name 
If you have a domain, put that here. If this is for a company, but the comapny name here. IF neither applies, just put "local"
Certificate's serial number 
Every certificate by a CA has to have a unique serial number. Since this is the root one, you can put in whatever you like, or just put 0, but it must be filled in
Activation/Expiration time 
The time until the CA certificate expires. It should be long-lived; 10 years (3650 days) is a good pick if you don't have a better value in mind.
Does the certificate belong to an authority? 
Answer "Y" to this one
Will the certificate be used to sign other certificates? 
Answer "Y" to this one
Enter the URI of the CRL distribution point 
If you have a webserver, put the URL of where you intend to put your CRL, like - otherwise leave it blank. You SHOULD fill this in if you are going to have a web server.

As for the other values, you generally need not worry about. If you have some kind of directory service (LDAP or X.500), and a Distinguished Name (DN) then use those same values. Directory services will not be covered here.

For all the other questions, either leave blank for answer N.

Unlike the private key; the certificate is public; it can and should be distributed to each computer and user you have.

Using OpenSSL

OpenSSL is install standard on all Gentoo System, because OpenSSH is in the base profile, which, in turn, depends on OpenSSL. OpenSSL on Gentoo uses /etc/ssl as its home directory. has excellent directions on setting up a CA with openssl.

Prep work

First step is create the necessary files and directories

$ cd ~
$ mkdir pki
$ cd pki
$ mkdir certs crl newcerts private
$ chmod 700 private
$ touch index.txt

And since we are just testing at the moment, we need to copy /etc/ssl/opnessl.cnf to our test area

$ cp /etc/ssl/openssl.cnf ~/pki/

Edit Openssl.cnf

Edit openssl.cnf with your editor of choice.

Note: Don't worry if RANDFILE points to a non-existent file. OpenSSL defaults to using /dev/urandom as a source of randomness

Create key & request

Now we create the private key and certificate request

$ openssl req -new -keyout private/cakey.pem -out careq.pem -config ./openssl.cnf

Here -new denotes a new keypair, -keyout dictates where they new private key will go, -out determines where the request will go, and -config tells openssl to use our test config rather than the default config.

Self-sign certificate

And finally self-sign the certificate request(csr) to create our signed CA certificate(crt)

$ openssl ca -create_serial -out cacert.pem -days 3650 \
-keyfile private/cakey.pem -selfsign -extensions v3_ca \
-config ./openssl.cnf -infiles careq.pem

Using configuration from ./openssl.cnf
Enter pass phrase for private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            Not Before: Jun  5 22:32:47 2007 GMT
            Not After : Jun  2 22:32:47 2017 GMT
            countryName               = US
            stateOrProvinceName       = Iowa
            organizationName          = Foo Bar
            organizationalUnitName    = Support
            commonName                =
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 
                DirName:/C=US/ST=Iowa/O=Foo Bar Corp/OU=Support/

            X509v3 Basic Constraints: 
            X509v3 Subject Alternative Name: 
            X509v3 Issuer Alternative Name: 
            X509v3 CRL Distribution Points: 

Certificate is to be certified until Jun  2 22:32:47 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

-create_serial is especially important. Many HOW-TOs will have you echo "01" into the serial file thus starting the serial number at 1, and using 8-bit serial numbers instead of 128-bit serial numbers. This will generate a random 128-bit serial number to start with. The randomness helps to ensure that if you make a mistake and start over, you won't overwrite existing serial numbers out there.
-out determines where the self-signed certificate will go.
-days determines how long the certificate will be valid for.
-keyfile specifies the private key to use for signing (this was created in the last step).
-selfsign tells openssl to use the data from the CSR when signing instead of expecting a CA CRT.
-extensions tells openssl to use the v3_ca section of the config
-config again specifies our config.
-infiles specifies what to sign, which in this case is the CSR for our new CA.

OpenSSL reference links

Material used to put together the above

Misc reference links

Retrieved from ""

Last modified: Thu, 04 Sep 2008 05:15:00 +0000 Hits: 6,051