Create your own Certificate Authority with TinyCA

If you run any sort of server that is accessible by the public, you know the importance of certificate authorities (CAs). These certificates give your users a bit of insurance that your site is actually what it claims to be and not a spoofed version of your site waiting to either snag some data or drop a small payload onto an unsuspecting users's machine.

The problem with CAs is that they can be a bit costly - especially for the administrator running a free service, or even a small business without the budget for purchasing CAs. Fortunately you don't have to shell out the money for CAs, because you can create them for free on your Linux machine with an easy to use application called TinyCA.


  • Create as many CAs and sub-CAs as you need.
  • Creation and revocation of x509 S/MIME certificates.
  • PKCS#10 requests can be imported and signed.
  • Both server and client CAs can be exported in multiple formats.

TinyCA works as a user-friendly front-end for openssl, so you don't have to issue all of the necessary commands to create and manage your CAs.

Installing TinyCA

You won't find TinyCA in your distribution's repositories. You can either add the necessary repository to your /etc/apt/sources.list file or you can install from one of the binaries found on the main page. Let's use Ubuntu and Debian as an example for installation.

If you want to install using apt-get you will need to first add the repository file to your sources.list file.  So open up the /etc/apt/sources.list file with your favorite editor and add the following line:
deb sid main

NOTE: Replace "sid" with the version you are using. If you are using Ubuntu 9.04 the example above will work.

Now run the command:

sudo apt-get update

You will notice that apt-get complains about the lack of a gpg key. That's okay because we are going to install using the command line. Now issue the command:

sudo apt-get install tinyca

This should install TinyCA without complaint. You might have to okay the installation of some dependencies.

Using TinyCA

Figure 1

Figure 1

To run TinyCA issue the command tinyca2 and the main window will open. Upon your first run you will be greeted by the Create CA window (see Figure 1). When you already have CAs this window will not open automatically. In this window you will create a new CA.

Figure 2

Figure 2

The information you have to enter should be fairly apparent as well as unique to your needs. After you fill out the information click OK which will open up a new window (see Figure 2). This new window will contain configurations that are passed onto SSL during the creation of the certificate. Like the first window, these configurations will be unique to your needs.

After you fill this information out click the OK button and the CA will be created. Depending on the speed of your machine, the process could take a bit of time. Most likely the process will be completed within 30-60 seconds.

Managing your CAs

Figure 3

Figure 3

When your CA is complete you will be taken back to the management window (see Figure 3). In this window you can create SubCAs for your main CA, you can import CAs, open CAs, create new CAs, and (most importantly) export CAs. You can't see the Export button in Figure 3, but if you were to click the down arrow on the upper right portion of the window you would see another button you can click to export a CA.

Of course you have just created a Root Certificate. This certificate will only be used for:

  • create new sub-CA:s
  • revoke sub-CA:s
  • renew sub-CA:s
  • export the root-CA:s certificate

For anything other than the above you would want to create a SubCA. We'll discuss creating a SubCA that can actually be used for your website in the next article.

Final thoughts

TinyCA takes a lot of work out of the creation and management of certificate authorities. For anyone that manages more than one web site or server, this tool is certainly a must have.

Please share this article


Responses to Create your own Certificate Authority with TinyCA

  1. dr2web September 17, 2009 at 12:07 am #

    thx jack ^^
    SystemRescueCD 1.3.0 Has Linux Kernel 2.6.31
    XFCE 4.6.1 and Firefox 3.5.2 are also included
    SystemRescueCD, the popular data-recovery and system-administration Linux distribution, has just been updated. Version 1.3.0 brings the latest and greatest, stable Linux kernel, 2.6.31, along with btrfs-progs 1.41.9, thus incorporating support for the new Btrfs file system, which has been undergoing development since 2007.

  2. Mr. Biggz September 17, 2009 at 6:20 am #

    You mention that certificates are used in preventing spoofing, wouldn't this just make the problem worse now that anyone could make one on their own for free?

  3. jack September 17, 2009 at 1:47 pm #

    Mr Biggz: That depends. With CAs you can actually create signed certificates that act like gpg keys. For very small sites you can hand out those keys to certain people and only those people could get to the site.

    otherwise it's a matter of making sure you look at a certificate for a site and judging if the information is valid.

  4. CA 4 Win September 17, 2009 at 7:55 pm #

    Thanks, great info.
    How about a free CA apps running on windows, is there any?

    • wegi October 14, 2009 at 9:26 pm #

      Yes there is XCA which offers a similar functionality on windows an MAC AFAIK.

  5. Martin March 15, 2010 at 1:09 pm #

    The screen shot in Figure 3 shows the toolbar with icons and also text. My TinyCA shows only icons. There seems to be nothing in preferences (or in the config file) to control this. How do you get the text? As this is something I don't use frequently, text to supplement the icons would be helpful!

Leave a Reply