

How to set up your own Certification Authority (CA) (2013) - Karunamon
https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

======
vruiz
certified[1] has been a great for me so far in this matter.

[1][https://github.com/rcrowley/certified](https://github.com/rcrowley/certified)

------
Karunamon
A cursory reading didn't turn up anything obviously wrong or insecure with
this setup, with the possible exception of there being insecure defaults in
openssl.cnf which is minimally edited. Would love if anyone else could confirm
that!

Other instructions on this site include setting up an intermediate CA using a
similar process and details of the signing process. Great info, anyways.

~~~
e28eta
I was having a really hard time last week trying to figure out good settings
to pass to OpenSSL in 2014. There are quite a few tutorials over years, and as
an outsider it's really hard to evaluate the relative benefits.

I'd really love to see a continually updated set of best practices for using
OpenSSL for a variety of tasks, like creating a CA, intermediate cert, cert
for ssl/tls, etc

~~~
iancarroll
I'm working on a PKI "manual" which will be up soon. I kind of forgot about it
but it details a lot of things about PKI in 2015 and current security best
practices. Still has omissions though hence why it's not up yet.

------
moe
I'd suggest to rather use easy-rsa[1] because wrestling bare OpenSSL is not
something you want to do unless you absolutely have to.

[1] [https://github.com/OpenVPN/easy-
rsa/blob/master/doc/EasyRSA-...](https://github.com/OpenVPN/easy-
rsa/blob/master/doc/EasyRSA-Readme.md)

------
jpgvm
If you are a Ruby user I would recommend looking at the r509 project. [1]

It includes a HTTP interface for issuing certs and an OCSP responder.

[1][https://github.com/r509](https://github.com/r509)

