A Private PKI lets you issue and manage your own TLS certificates for internal services, mutual TLS authentication, and VPN connections. This guide covers creating a Certificate Authority, issuing certificates, and managing the certificate lifecycle.
When You Need a Private PKI
- Internal service-to-service encryption (mTLS)
- VPN client certificates (WireGuard, OpenVPN)
- Internal web applications not exposed to the internet
- IoT device authentication
Creating a Root CA
# Create CA directory structure
mkdir -p ~/pki/{root-ca,intermediate-ca,certs}
cd ~/pki/root-ca
# Generate root CA private key (keep this extremely secure)
openssl genrsa -aes256 -out root-ca.key 4096
# Generate root CA certificate (valid 10 years)
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt \
-subj "/C=US/ST=New York/O=MyOrg/CN=MyOrg Root CA"
# Verify the certificate
openssl x509 -in root-ca.crt -text -nooutCreating an Intermediate CA
# For production, never use the root CA directly
# Create an intermediate CA for day-to-day certificate issuance
cd ~/pki/intermediate-ca
openssl genrsa -out intermediate.key 4096
openssl req -new -key intermediate.key -out intermediate.csr \
-subj "/C=US/ST=New York/O=MyOrg/CN=MyOrg Intermediate CA"
# Sign with root CA
openssl x509 -req -in intermediate.csr -CA ../root-ca/root-ca.crt \
-CAkey ../root-ca/root-ca.key -CAcreateserial \
-out intermediate.crt -days 1825
# Create certificate chain
cat intermediate.crt ../root-ca/root-ca.crt > ca-chain.crtIssuing Server Certificates
# Generate server key and CSR
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
-subj "/C=US/ST=New York/O=MyOrg/CN=api.internal.myorg.com"
# Create extensions file for SAN (Subject Alternative Names)
cat > server-ext.cnf