Build your own CA
Chain of trust
How to config
How to use


"OpenSSL is a free and open-source cryptographic library that provides several command-line tools for handling digital certificates. Some of these tools can be used to act as a certificate authority.

A certificate authority (CA) is an entity that signs digital certificates. Many websites need to let their customers know that the connection is secure, so they pay an internationally trusted CA (eg, VeriSign, DigiCert) to sign a certificate for their domain.

In some cases it may make more sense to act as your own CA, rather than paying a CA like DigiCert. Common cases include securing an intranet website, or for issuing certificates to clients to allow them to authenticate to a server (eg, Apache, OpenVPN)."

(Source: OpenSSL Certificate Authority by Jamie Nguyen)

You can find a lot of such descriptions to build your own CA on the Internet. But the description of Jamie Nguyen is my personal favourite.

Chain of trust

To make it short. There are 3 participants in the "Chain of trust" story:

  • Root Certificate
  • Intermediate Certificate
  • End-entity Certificate

(Source: Wikipedia)

But what is the relationship between the 3 participants? This can be better explained using an example. So let’s take a closer look at the certificate for the domain "":

The certificate was issued by intermediate entity "DigiCert SHA2 Secure Server CA" for the end entity "". That may be a little confusing now that the certificate for the domain "com" was issued for "org". But we will take a deeper look in the next pictures:

The following assignment for the 3 participants results from the "Certificate Hierarchy":

Root Certificate

=  DigiCert Global Root CA

Intermediate Certificate  

=  DigiCert SHA2 Secure Server CA

End-entity Certificate


And here is the solution to the confusion with the domain names:

The "Subject Alt Name" is the magic, the certificate is valid for all these names here. Next we generate all of these certificates for our own use with the TinyONE Server.

How to config

This certification authority uses Elliptic Curve Cryptography (ECC) for the certificates. The root and intermediate certificate should be generated for the fictional company "Example":

Root Certificate

=  Example Non-Public ECC Root CA

Intermediate Certificate  

=  Example Non-Public ECC CA

The certificate should be valid for the following URLs:

End-entity Certificate #1  

=  tiny94E296.local

End-entity Certificate #2  

=  tiny.local

Note: The CA which is built here is a "Self-signed Certificate Authority". This means that the certificate is not easily recognized by the browsers. More on this in section "How to use"

Note: The CA here is command line based. If you want to use a CA with GUI, please take a
look at XCA.

Download and unzip the build script in a directory of your choice. If the scripts are to be executed under Windows, MSYS2 is still required for the execution. OpenSSL must also be installed under MSYS2. In case of a Linux or macOS machine, make sure that OpenSSL is also installed.

Open the file "" with your prefered editor and change the following lines as follows:

export root_c="DE"
export root_st="Hesse"
export root_o="Example"

With these settings the country (c), state (st) and the name of the organization (o) is set. Thats all of the changes whats we need for the moment.

How to use

The directory where the build script was unzip should look like:

The first script, "" must be startet with "." (dot space all other can be startet with "./" (dot slash) like "./"

Execute all scripts from 00 to 03, in this order. This creates the root and intermediate keys and there certificates. Furthermore a new directory "ca" is created where all the keys and certificates are stored.

Next, the key and certificate for "tiny94E296.local" will be created. Therefore use:

./ 94E296

The private key and the certificates for the TinyONE Server are now under:


Copy the files described here into the "certs" directory of the TinyONE Server.

But there was something else. Since the certificate for the server was created by a self-signed CA, it is not yet accepted by the browser. Therefore, the root certificate must first be imported into the browser. The root certificate is "ca.cert.pem" and is located at:


Unfortunately, you will have to find yourself how this root certificate is imported into the browser, because there exist different ways for the different browsers.


The repository can be found on GitHub at ecc-rootca-build-script.