If you decide to handle your own certificate authority for the purposes of internal certificates, you will be annoyed by all the house keeping tasks involved. This will ring especially true if you need a new certificate just few times a year and having a separate, always-ready machine is way too much overhead to handle.
As pretty much all above applies to me, I decided to create a helper script to ensure I setup stuff the same every time and I kept it really close to how I would do it manually.
First action is to create root CA certificate (will be saved in
Then we can give out, for example, TLS client and server certificates or just something for testing:
./microca.sh -u Client myclient ./microca.sh -u Server myserver ./microca.sh mytest
It is even possible to create an intermediate CA and use it to create other certificates:
./microca.sh -a intermediate ./microca.sh -c intermediate -u Client myclient ./microca.sh -c intermediate -u Server myserver ./microca.sh -c intermediate mytest
[2017-03-17: Setting subjectAltName is also supported.]