Understanding the openssl ca subcommand
The openssl ca subcommand can be useful for running a mini-CA inside an organization. This kind of CA can, for instance, issue certificates for internal servers. Using an internal CA saves costs compared to using an external commercial CA. But it is not the only advantage. Many internal servers should not be exposed to access from the internet. This limitation hinders automatic server checks from the external CAs, which are needed to issue cheap or free certificates. Also, in some cases, it is undesirable to expose knowledge about the existence or name of the internal servers. When ordering a certificate from an external CA, you have to expose the internal server’s name to the CA. Furthermore, the CA may publish the certificate information to a Certificate Transparency (CT) log, leading to even more unwanted information exposure about the company’s internal servers.
Another reason to have an internal CA is to issue client certificates...
