Bare-bones Root CA


Sometimes you want to test SSL/TLS on a server and you want to experiment a bit before getting the real stuff. In these cases, having a private Certification Authority (CA) can become handy to uncover errors early.

The script below aims at easing this task.

Also found locally.

Easy to use, just one setup command and then only signing and certificate creation.


./ create

This will generate files ca.key (private key for the CA) and ca.crt (certificate, with the public key inside). Keep ca.key, distribute ca.crt to clients and make them trust it.

Certificates signing/generation

# some-server.csr comes from a need to generate a certificate
./ sign some-server.csr

Again, remember that your clients will need to trust ca.crt

Anything else

If you need to generate a server certificate on the fly, openssl can be your friend again:

openssl req -new -out server.csr -days 3650 \
   -subj '/' \
   -newkey rsa:2048 -nodes -keyout server.key


Want to know more? Intermediate CAs are hard! is a follow-up post on this topic. 😎

Comments? Octodon, Twitter, GitHub, Reddit, or drop me a line!