This guide walks through setting up a fully functional Local Certificate Authority (CA) using OpenSSL on Ubuntu. The CA server can issue and sign SSL/TLS certificates for internal services like web servers, VPNs, APIs, or internal tools. The goal is to save money on public certs and gain total control over certificate trust in your environment.
sudo apt update
sudo apt install openssl -y
Confirm it’s installed:
which openssl
sudo mkdir -p /etc/ssl/KeepItTechieCA/{certs,private,crl,newcerts,csr}
sudo chmod 700 /etc/ssl/KeepItTechieCA/private
sudo cp /etc/ssl/openssl.cnf /etc/ssl/KeepItTechieCA/
sudo nano /etc/ssl/KeepItTechieCA/openssl.cnf
Update the following:
[ CA_default ]:dir = /etc/ssl/KeepItTechieCA
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
database = $dir/index.txt
new_certs_dir = $dir/newcerts
default_md = sha256
policy = policy_match
[ req_distinguished_name ]:countryName_default = US
stateOrProvinceName_default = California
localityName_default = Los Angeles
organizationName_default = KeepItTechie, Inc.
organizationalUnitName_default = IT Department
echo 01 | sudo tee /etc/ssl/KeepItTechieCA/serial
sudo touch /etc/ssl/KeepItTechieCA/index.txt
sudo openssl genrsa -aes256 -out /etc/ssl/KeepItTechieCA/private/cakey.pem 4096
sudo openssl req -new -x509 -sha256 \
-config /etc/ssl/KeepItTechieCA/openssl.cnf \
-key /etc/ssl/KeepItTechieCA/private/cakey.pem \
-out /etc/ssl/KeepItTechieCA/cacert.pem \
-subj "/C=US/ST=California/L=Los Angeles/O=KeepItTechie, Inc./CN=KeepItTechie Root CA"
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr \
-subj "/C=US/ST=California/L=Los Angeles/O=KeepItTechie, Inc./CN=demo.keepittechie.local"
Send
server.csrto the CA server for signing.
sudo cp server.csr /etc/ssl/KeepItTechieCA/csr/
sudo openssl ca -config /etc/ssl/KeepItTechieCA/openssl.cnf \
-in /etc/ssl/KeepItTechieCA/csr/server.csr \
-out /etc/ssl/KeepItTechieCA/certs/server.crt
Confirm with:
y to signy to commitsudo cp cacert.pem /usr/local/share/ca-certificates/keepittechieCA.crt
sudo update-ca-certificates
Now this client will trust any certs signed by your CA.
<VirtualHost *:443>
ServerName demo.keepittechie.local
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCACertificateFile /usr/local/share/ca-certificates/keepittechieCA.crt
</VirtualHost>
Then restart:
sudo systemctl restart apache2
cakey.pem) secure and backed up