3

I have created a letscrypt.org certificate using letsencrypt run which works fine as a SSL certificate on apache2. How can I create another server certificate signed (and thus trusted) by the letsencrypt.org certificate?

I tried to create a CSR with

openssl req -new -key file.key -out file.csr

which I assume I can sign with

openssl x509 -extensions server_cert -req -in file.csr -CA /etc/letsencrypt/live/[domain name]/fullchain.pem -CAkey /etc/letsencrypt/live/[domain name]/privkey.pem -CAcreateserial -out file.pem -days 500 -sha256

The result is the SEC_ERROR_INADEQUATE_KEY_USAGE in firefox 47.0 on Ubuntu 16.04.

I assume the resulting certificate is trusted like the letsencrypt.org certificate is since the chain of trust shouldn't be broken. The to be created certificate is unnecessary. I want to create it for the purpose of learning in case this question doesn't reveal I'm requesting something impossible.

Kalle Richter
  • 184
  • 1
  • 7
  • What are you trying to accomplish? If you're trying to create a mutual trust between servers, for instance, you can do that with self-signed certificates and explicitly importing them into truststores on each side. If you want publicly trusted certificates, you need to get a letsencrypt cert for each server and use those. – crovers Jul 20 '16 at 18:45

1 Answers1

5

You cannot use your SSL certificate purchased from Let's Encrypt to sign other certificates. In order to do this, your certificate must be CA certificate. This is done by setting isCA=true in the BasicConstraints certificate extension. In addition, KeyUsages extension should include a keyCertSign bit enabled.

More information on how Basic Constraints extension works in my blog post: Basic Constraints certificate extension

Your SSL certificate doesn't have such setting and no one will give you such.

What you need is to acquire another certificate from CA provider (Let's Encrypt, for instance).

Edit: as aside note. You can purchase CA certificate from public CAs, however it is quite expensive. Service costs are thousands and thousands dollars. In addition, you will have to purchase a Hardware Security Module (HSM) which are quite expensive ($5k+ for PCI card and around $30k+ for net HSM like Thales nCipher). And you will have to pass external audits to verify policy conformance. This procedure is called Certification Authority Root Signing. I wrote an article about the subject: https://social.technet.microsoft.com/wiki/contents/articles/5973.certification-authority-root-signing.aspx

I suspect that this is not your case, so as @crovers suggested, you just need to acquire another certificate from Let's Encrypt like you already did for your domain.

Crypt32
  • 5,750
  • 12
  • 24
  • Good to know, thank you! Do you think/know if there's way to do that with `certbot` or another letsencrypt.org client? I don't find any option in `man letsencrypt` and only blog/diary-like articles like https://letsencrypt.org/2015/06/04/isrg-ca-certs.html on [google](https://www.google.de/search?client=ubuntu&channel=fs&q=letsencrypt+ca+certificate&ie=utf-8&oe=utf-8&gfe_rd=cr&ei=T8aPV_D1KJHZ8AeDsYkY) which don't explain whether or not I can get a CA certificate. – Kalle Richter Jul 20 '16 at 19:02
  • You cannot get a CA certificate. It is for CAs. You can generate another DV certificate from Let's Encrypt just like you did before to secure another domain if you want. – void_in Jul 20 '16 at 19:16
  • @void_in, actually you can (under certain circumstances, see my edits), but not in this case (I think so). – Crypt32 Jul 20 '16 at 19:38