A Guide to CA, CSR, CRT, and Keys (Digital Certificates)

January 17, 2024

Getting Started

In this post, I will guide you through the concepts of certificates and keys. Following the explanation of these concepts, I will demonstrate how to generate self-signed certificates specifically for deployment purposes.

Certificate Authorities (CA), Certificate Signing Requests (CSR), Certificate (CRT) and public and private keys relation with examples
Illustrative example: An application utilizes its public and private keys to request a signed certificate from a Certificate Authority (CA). The application will then use the signed certificate to prove its authenticity.

Fundamental Concepts

Application Public/Private Keys
# Generate a private key
openssl genpkey -algorithm RSA -out app_private_key.pem

# The public key can be extracted from private key
openssl rsa -pubout -in app_private_key.pem -out app_public_key.pem

We have the public and private keys for the application. Now, corresponding to step 1, let’s create the Certificate Signing Request (.csr):

# Generate the certificate sign request
openssl req -new -key app_private_key.pem -out app_csr.csr

CA Public/Private Keys and Self-Signed Certificate

The CA uses the application’s public key to validate the information (step 2). It then employs its private key to encrypt the csr message (step 3), resulting in the generation of the signed certificate (.crt).

In this process, the CA uses a CA certificate instead of simply using its private key to sign the csr. The CA certificate helps associate information such as Country, State, Address, etc., of the CA and establishes the chain of trust.

# Generate the private key, the public key 
# can be extracted from private key
openssl genpkey -algorithm RSA -out ca_private_key.pem

# Generate the Self-Signed CA certificate
openssl req -x509 -new -key ca_private_key.pem -out ca_certificate.crt

# You can extract the public key from either the 
# private key or the ca certificate
# You can extract more information such as adress from ca certificate
# Use CA certificate to sign the CSR
openssl x509 -req -in app_csr.csr \
  -CA ca_certificate.crt \
  -CAkey ca_private_key.pem \
  -CAcreateserial -out app_certificate.crt

There is another useful tool called mkcert, which simplifies the process even further:

# First, create a directory in which we'll create the certificates
mkdir -p certs

# Export the CAROOT env variable
export CAROOT=$(pwd)/certs

# Install a new CA
# the following command will create 2 files 
# rootCA.pem and rootCA-key.pem
mkcert -install

# Generate SSL certificates
# Here, we're creating certificates valid for both 
# "host.docker.internal" and ""
mkcert -cert-file=$CAROOT/tls.crt \
  -key-file=$CAROOT/tls.key \

That’s it!

Linux Networking Cybersecurity