Creating a Self-Signed Public Key Infrastructure (PKI)

This is part one of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.

Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.

Getting Started

  1. Download X Certificate Key Manager Download
  2. Extract X Certificate Key Manager
  3. Launch xca.exe
  4. Select File > Create Database
  5. Name your PKI database and click save
  6. Enter a password for you database
  7. Re-type to confirm and click OK

Creating the Root Certificate Authority

  1. Navigate to the Certificates tab
  2. Click the New Certificate button
  3. Click the Subject tab
  4. Complete the Distinguished Name section

    internalName: i12bretro Root CA
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: i12bretro Root CA

  5. Click the Generate a New Key button
  6. Enter a name and set the key size to at least 2048
  7. Click Create
  8. Click on the Extensions tab
  9. Select Certificate Authority from the type list
  10. Update the validity dates to fit your needs
  11. Click the Key Usage tab
  12. Under Key Usage select Digital Signature, Key Encipherment and Certificate Sign
  13. Click OK to create the certificate

Creating the Intermediate Certificate Authority

  1. From the Certificates tab, right click on your Root CA certificate
  2. Select New
  3. On the Source tab, make sure Use this Certificate for signing is selected
  4. Verify your Root CA certificate is selected from the drop down
  5. Click the Subject tab
  6. Complete the Distinguished Name section

    internalName: i12bretro Intermediate CA
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: i12bretro Intermediate CA

  7. Click the Generate a New Key button
  8. Enter a name and set the key size to at least 2048
  9. Click Create
  10. Click on the Extensions tab
  11. Select Certificate Authority from the type list
  12. Update the validity dates to fit your needs
  13. Click the Key Usage tab
  14. Under Key Usage select Digital Signature, Key Encipherment and Certificate Sign
  15. Click OK to create the certificate
  16. From this point forward, use the intermediate certificate to create end entity certificates