How to setup an own Root Certificate Authority (CA)

How to setup an own Root Certificate Authority (CA)

This article describes how to setup an own Root Certificate Authority (CA) that allows to sign certificates and create Certificate Revocation Lists (CRL).

Setting up an own Root CA simplifies the certificate management in a larger installation, as not all certificates need to be distributed to all hosts. Instead, only the own certificate and the certificate + CRL of the CA have to be present on each host. All certificates that are signed by the CA are then automatically trusted, as long as their certificate is not listed in the current revocation list (CRL).
Notes
The CA can later on be used to sign any certificate, independent of the intended use-case (e.g. Webserver, OPC UA server, OPC UA client...).

Pre-requisites

  1. xca: X certificate and key management

Creating a new Root Certificate Authority using xca

Start the xca tool

  1. Open the tool xca.
  2. Create a new data base

Create a private key


  1. Go to the tab Private Keys and press New Key
  2. Provide a name for the key
  3. Press Create
Warning
For security reasons, do not export the private key of the Certificate Authority unless there are good reasons to do so!
The private key of the CA allows you to sign any certificate which in turn is then trusted by every host/service that is trusting the CA!

Create a new certificate


  1. Go to the tab Certificates and press New Certificate
  2. Select Create a self signed certificate

Set the subject of the new certificate


  1. Go to the tab Subject
  2. Enter an internal name for the certificate
  3. Provide information about your organization (not mandatory, but best practice)
  4. Ensure to select the private key created in the previous steps

Set the extensions of the new certificate


  1. Go to the tab Extensions
  2. Set X509v3 Basic Constraints to:
    1. Type: Certification Authority
    2. Path length: 0 (only use a higher number, if sub-CAs shall be allowed)
    3. Select Critical
  3. Set Key identifier:
    1. Select X509v3 Subject Key Identifier
    2. Select X509v3 Authority Key Identifier
  4. Set validity as required

Set the key usage of the new certificate


  1. Go to the tab Key usage
  2. Set X509v3 Key Usage:
    1. Select Critical
    2. Select Certificate Sign, CRL Sign
  3. Press OK

Export the certificate


  1. Select the newly generated certificate and press Export
  2. Provide a file name for the certificate and ensure to set the file extension to .der
  3. Ensure that the export format is set to DER
  4. Press OK

Create a new revocation list (CRL)


  1. Go to the tab Revocation lists and press New CRL
  2. Setup the parameters as required
  3. Press OK
Info
The CRL becomes invalid after the defined period has elapsed. Then, a new CRL must be created and distributed to all hosts!

Export the revocation list


  1. Select the newly generated revocation list and press Export
  2. Provide a file name for the revocation list and ensure to set the file extension to .crl
  3. Ensure that the export format is set to DER
  4. Press OK