OpenSSL Certificate Authority Shell Scripts

Create Client Certificates for a SSL/TLS based secure HTTPS web server with OpenSSL CA



March 2007 Email encryption and signing works now with the certificates created by this application in Thunderbird and Outlook. The Thunderbird team has finally fixed the bug. 

There was little improvement on the scripts themselves. The main work was done on improving the integration with The Address Book Reloaded as certificate managing database and Intranet address book. There is still lots of work to do to make it more convenient to issue certificates other than pasting commands into a shell. The thing that prevents this until now is that usually the address book is running on a unsecured server, while the certificate authority must be run on a secure computer, which would need a means to sync databases between instances of the address book.

Anyway feel free to post your ideas.

September 2006

I almost solved how to use these certificates for email encryption with S/MIME and Thunderbird. Unfortunately Thunderbird wants to use the certificates also for the SSL/TLS connection to the mail server, which does not work because the certs are self-signed! If you switch off SSL encryption for the server connection S/MIME singing and encryption work fine. I suppose this is a bug in Thunderbird, maybe Outlook works better.

  1. Import the .p12 file into Thunderbird (This may break your ability to send and receive mail because Thunderbird will use the certificate for the TLS connection to the mail server by default) Now we allow the self-signed ca.crt being used to verify signatures:

  2. Options > Privacy > Security > View Certificates >Authorities

  3. Find your own Certificate Authority

  4. Edit > [check] This certificate identifies mail users (and nothing else).

  5. Please post your experiences:

For signing email one only needs his own certificate installed. The CA public key certificate will verify the signatures of others.

To encrypt email one needs the public key certificate of the other person (.crt file) and install it.

  1. Options > Privacy > Security > View Certificates > Other People

  2. Import the other's certificate.

August 2006

The integration with TAB-2 has matured, although it is not an instant CA solution yet. It works as follows:

The Address Book Reloaded (TAB-2) is a PHP address book web application (see below). An administrator or a contacts manager enters contacts into the address book. These contacts are flagged as 'added' and the CA administrator can generate shell commands via the web browser that he can copy into a script to issue the certificates on a secure machine with openssl-ca provided commands. If an administrator/manager deletes a contact, then the contact is included into the commands generated as revokecert ''.

This is a screenshot of the interface (plugin) in TAB-2:

July 2006

I have integrated the openssl-CA into (currently as beta extension). It works great. Users can retrieve their reissued cert passwords from their own address card. (Re)issue, revocation, export password management, password retrieval with PIN. I am running an intranet server with 500 contacts with openssl-ca and tab-2. Unfortunately the features are still undocumented, but an SSL-CA button should appear for administrators logged into tab-2 on the main address list beside PDF printing.

The Address Book Reloaded (tab-2) is a PHP address book web application to store contact details (with pictures) of employees/customers in utf8 format on an intranet. Users or address managers can enter records. Features Google Maps, Maporama, distributed management, PDF address books (standard fonts only). Try the Address Book Reloaded DEMO (sorry no CA features demo as admin privileges are required. I will add a screen shot later.)


DOWNLOAD openssl-ca from SourceForge Logo


This readme contains step-by-step instructions to create a (self-signed)
Certificate Authority for your web-server.

The scripts simplify the following work with openssl ca:
    1. Create a root CA
    2. Issue server certificates
    3. Issue client certificates
    4. Revoke client certificates
    5. Mail them to users

    a) ca directory
    b) dated user directories

HINT: Copy these scripts to an encrypred volume on a secure computer.
      Do not run them on your web-server.
      For Windows/cygwin check out:

1. Create a self signed ROOT-certificate:

[Optional: edit the defaults in genrootca - you may need to start over a few times until your CA sticks]

Enter secret-CA-password
Enter secret-CA-password
Enter secret-CA-password
Enter public certificate data [Or accept the defaults].

RESULT: ca (directory) ; ca/ca.crt ; ca/ca.key

2. Create a server certificate

genservercert -C "" -e "" -p "secret-CA-password" -o "My Company" -u "My Department" -c US -s "1 Company Lane" -l "Sunnyvale, CA 12345"

$ ll ca

-rw-r--r-- 1 joe Domain Users 1143 Jan 19 18:01 ca.crt
drwxr-xr-x 2 joe Domain Users    0 Jan 19 18:10 ca.db.certs
-rw-r--r-- 1 joe Domain Users  151 Jan 19 18:10 ca.db.index
-rw-r--r-- 1 joe Domain Users   21 Jan 19 18:10 ca.db.index.attr
-rw-r--r-- 1 joe Domain Users    3 Jan 19 18:10 ca.db.serial
-rw-r--r-- 1 joe Domain Users  963 Jan 19 18:00 ca.key

---- possible errors: ----
unable to load CA private key
3064:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:ev
3064:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

>>>>>>>>>>>>>> SOLUTION >>>>>>>>>>>>>>>>>>
===> -p is the wrong password !!! Make sure you use the right password.

3. Configure the server (apache2 - SuSE)

cp ca/ca.crt /etc/apache2/ssl.crt/
cp /etc/apache2/ssl.crt/
cd /etc/apache2/ssl.crt/ ; make 
cp /etc/apache2/ssl.key
vhost or http.conf:
 SSLEngine on
 SSLProtocol -ALL +SSLv3 +TLSv1
 SSLCertificateFile /etc/apache2/ssl.crt/myserver.example.crt
 SSLCertificateKeyFile /etc/apache2/ssl.key/myserver.example.key
 SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
 SSLCACertificatePath /etc/apache2/ssl.crt
 # enable if needed
 SSLCARevocationPath /etc/apache2/ssl.crl
 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
 SSLVerifyClient require
 SSLVerifyDepth 1
Open port on firewall
(if needed) Add ports to listen.conf/vhost 
rcapache2 restart

4. Create user certificates

genusercert -C "Joe Sample" -e -o "Acme Inc." -u "Sales" -l "Nashville" -s "TN" -c US -d "730" -x "joes-import-password" -p secret-CA-password

Batch processing:

[Edit the xls and]
Save/Generate a CSV-file [No field separators and " characters allowed!].

[make sure it uses commas to separate fields - Germany uses ; instead!!]
[If so change the FS=';' in csv2usercerts script to whatever you use!]


Check to verify the generated commands are right.

Batch create the certificates:

./ -p "very sercret CA root password"

5. Install pk12 on a user's browser (Firefox, IE)

Double click on the file and follow the instuctions.

Provide the export-password that you used to generate the certificate.