If you are playing a lot with SSL/TLS, at certain point it starts making sense to create your own self-signed certificate authority. However, where to make something that needs to be as secret as possible?
For CA creation I personally love to use Raspberry Pi with Raspbian Jessie Lite for this. Once you create SD image, and assuming you don't plug the network in, it is as close to secure computer as it can get.
While ideally (and in this guide) you are not going to save anything to disk without password, if you do slip it is really easy to recover on Raspberry Pi. Just destroy the SD card you used and no leaks will occur. Of course, paranoid should destroy SD card regardless. Just in case. :)
But let's get back to creation of our certificate authority.
First we need to create a key. With OpenSSL you can even choose to protect it with password from the very start. Guess what? We're gonna use that:
# openssl genrsa -aes256 -out ca.key 2048
Once key is there, we need to sign it. Considering RSA 2048 key (approximately 112 bits of security) is considered by NIST to be acceptable until 2030, 10 years duration seems reasonable. You can fill as much or as little information as you wish. If nothing else, fill out common name to simplify your life:
# openssl req -new -x509 -key ca.key -sha256 -days 3650 -extensions myext -config <(cat /etc/ssl/openssl.cnf <(echo -e "\n[myext]\nbasicConstraints=CA:true\nkeyUsage=cRLSign,keyCertSign")) -out ca.cer
Country Name (2 letter code) [AU]: .
State or Province Name (full name) [Some-State]: .
Locality Name (eg, city) []: .
Organization Name (eg, company) [Internet Widgits Pty Ltd]: .
Organizational Unit Name (eg, section) []: .
Common Name (e.g. server FQDN or YOUR name []: .
Email Address []: .
With this our certificate is ready. I still like to make a PKCS #12 packet for safe keeping. Do not forget to set the passphrase here too (it will ask):
# openssl pkcs12 -export -in ca.cer -inkey ca.key -out ca.p12
To get all this out of Pi, we can cheat and use FAT32 partition on SD card:
# sudo mkdir /boot/ca
# sudo cp *.cer /boot/ca/
# sudo cp *.p12 /boot/ca/
Now we have a self-signed CA we can use it to create other server or client keys.