Certificate Authority

Ref.: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-debian-10


A Certificate Authority (CA) is an entity responsible for issuing digital certificates to verify identities on the internet. Although public CAs are a popular choice for verifying the identity of websites and other services that are provided to the general public, private CAs are typically used for closed groups and private services.

Building a private Certificate Authority will enable you to configure, test, and run programs that require encrypted connections between a client and a server. With a private CA, you can issue certificates for users, servers, or individual programs and services within your infrastructure.

Some examples of programs on Linux that use their own private CA are OpenVPN and Puppet . You can also configure your web server to use certificates issued by a private CA in order to make development and staging environments match production servers that use TLS to encrypt connections.

Setup Easy-RSA


apt update
apt upgrade
apt install sudo

Create user

adduser rsa
usermod -aG sudo rsa

Install Easy-RSA

With the created user:

sudo apt install easy-rsa

Preparing a Public Key Infrastructure Directory

mkdir ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
chmod 700 /home/rsa/easy-rsa

Initialize the PKI inside the easy-rsa directory:

./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/rsa/easy-rsa/pki

Creating a Certificate Authority

vi ~/easy-rsa/vars

set_var EASYRSA_REQ_CITY       "Oslo City"
set_var EASYRSA_REQ_ORG        "Skobbis"
set_var EASYRSA_REQ_EMAIL      "admin@skobba.net"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512" 

Build CA: Create a Passphrase and confirm the name.

./easyrsa build-ca


Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:

Wrap Up

Now you have two important files which make up the public and private components of a Certificate Authority.


ca.crt is the CA's public certificate file. Users, servers, and clients will use this certificate to verify that they are part of the same web of trust. Every user and server that uses your CA will need to have a copy of this file. All parties will rely on the public certificate to ensure that someone is not impersonating a system and performing a Man-in-the-middle attack.


ca.key is the private key that the CA uses to sign certificates for servers and clients. If an attacker gains access to your CA and, in turn, your ca.key file, you will need to destroy your CA. This is why your ca.key file should only be on your CA machine and that, ideally, your CA machine should be kept offline when not signing certificate requests as an extra security measure.