Certificate Authority
Generate the Certificate Authority (CA) Private Key
Every certificate must have a corresponding private key. Generate this using the following command line
# openssl ecparam -name prime256v1 -genkey -noout -out ca.key
This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not yet widely supported
Generate the Certificate Authority Certificate
The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more about this.
Generate the Root CA certificate using the following command line
# openssl req -new -x509 -sha256 -key ca.key -out ca.crt
You will be prompted to provide some information about the CA. Here is what the request looks like:
You are about to be asked to enter information that will be incorporated into your certificate request
What you are about to enter is what is called a Distinguished Name or a DN
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:QC
Locality Name (eg, city) []:Lavaltrie
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Devolutions inc.
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:devolutions.net
Email Address []:security@devolutions.net
Your CA certificate is now created. Keep its private key in a safe place
Generate your server certificate
This step may be repeated for each server you need
Generate the server certificate private key
Like the CA certificate use the following command line
# openssl ecparam -name prime256v1 -genkey -noout -out server.key
This will create a file name server.key