The Authority's Handbook

A guide to setting up your own TLS/SSL certificate authority (CA) using OpenSSL.

Table of Contents


This post page book started some time ago when I learned about the SSL chain of trust from my security professor. I set out to "learn by doing" by setting up my own certificate authority, using it to sign my own certificates, and then using those certificates to encrypt files and sign content, then decrypt and verify.

It was a valuable lesson in security, but gaining the knowledge to do this required scouring the Web and OpenSSL manuals for an in-depth understanding. It was this understanding that allowed me to decipher what each part to each command meant, and why each part was necessary. I compiled the precursor to this book as a series of annotated commands for my own personal reference, but it soon grew into a very large document. I thought to post it online, and so I gave it a home here.

Before I jump into the innards of TLS/SSL, I would like to point out that there is nothing wrong with trusting the "top level" certificate authorities: there is no reason not to trust certificates signed by DigiCert, Symantec/Verisign, GeoTrust, or Comodo. These certificate authorities have worked hard to establish themselves as members of the few trusted authorities on all major operating systems and browsers, and kudos to them for keeping our information secure through SSL. This tutorial is not meant to instill distrust for the trusted root certificate authorities. It is merely a technical guide and reference on how to use SSL to secure information as it travels across the Internet.


As previously mentioned, this information was compiled from several sources around the Internet and from the OpenSSL documentation, but among the most influential sources are: