Creating and maintening your own certificates

There are hundreds of tutorial on how to create a public certificate (usually let’s encrypt) with private IPs but why do that when you can create your own CA with two simple commands

Before continuing I have to say, we can do exactly the same with openssl command, this tool just make everything way easier

1. Installing tools

What is Cfssl

CFSSL is CloudFlare’s PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.16+ to build.

For now we’re just going to use the binary to create both a CA and a certificate using the command line, our course we can have this running in a cointainer responding API calls


Depending on your favorite linux distro

dnf install cfssl
apt install cfssl

2. Setup the environment

Initialize a certificate authority

mkdir -p ~/cfssl/{ca,certs} && cd ~/cfssl
cfssl print-defaults config > ca/ca-config.json
cfssl print-defaults csr > ca/ca-csr.json

You have to tune any setting on your CA like expring times, create diferent profiles, etc

Please review both json files under the ca folder before proceed

Be nice with the expire setting on your CA (at least 5 years)

It’s always recomended to use a passphrase for your CA key file, needed later for creating new certificates

3. Generate a CA

cd ~/cfssl/ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

You’ll get following files


That’s it you can now distribute your new CA (ca.pem) just install it on any device as certificate

Never distribute the ca-key.pem file, that one is used to sign any new certificate you create

4. Generate server certificate

Create a certificate request and edit Json file according to your data

cfssl print-defaults csr > server.json

5. Sign the certificate request and return it

run command to create the certs using profile www

cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=www certs/server.json | cfssljson -bare server

You’ll get following files

You can distribute these files to any webserver or system you need


note: Certs must be 19800h or less to be valid in safari

6. Verify data CA or Cert

openssl x509 -in ca.pem -text -noout
openssl x509 -in server.pem -text -noout
openssl x509 -in client.pem -text -noout