2

I have created a root certificate, My Root Certificate, with a private key, RSA Private Key 1, using the openssl terminal command.
I would like to make a certificate chain such as the following:

  • My Root Certificate
  • example.com, signed with RSA Private Key 1

How could I make this certificate chain with the openssl terminal command?

Java Is Cool
  • 165
  • 2
  • 10

2 Answers2

6
  1. First, create the directories to hold the CA certificate and related files:

    sudo mkdir /etc/ssl/CA
    sudo mkdir /etc/ssl/newcerts
    
  2. The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

    sudo sh -c "echo '01' > /etc/ssl/CA/serial"
    sudo touch /etc/ssl/CA/index.txt
    
  3. The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:

     dir             = /etc/ssl/             # Where everything is kept
     database        = $dir/CA/index.txt     # database index file.
     certificate     = $dir/certs/cacert.pem # The CA certificate
     serial          = $dir/CA/serial        # The current serial number
     private_key     = $dir/private/cakey.pem# The private key
    
  4. Next, create the self-singed root certificate:

    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
    

    You will then be asked to enter the details about the certificate.

  5. Now install the root certificate and key:

    sudo mv cakey.pem /etc/ssl/private/
    sudo mv cacert.pem /etc/ssl/certs/
    
  6. You are now ready to start signing certificates. The first item needed is a Certificate Signing Request (CSR), see Generating a Certificate Signing Request (CSR) for details. Once you have a CSR, enter the following to generate a certificate signed by the CA:

    sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
    

    After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.

  7. There should now be a new file, /etc/ssl/newcerts/01.pem, containing the same output. Copy and paste everything beginning with the line

    -----BEGIN CERTIFICATE-----

    and continuing through the line

    ----END CERTIFICATE-----

    to a file named after the hostname of the server where the certificate will be installed. For example mail.example.com.crt, is a nice descriptive name. Subsequent certificates will be named 02.pem´, 03.pem`, etc.

    Replace mail.example.com.crt with your own descriptive name.

  8. Finally, copy the new certificate to the host that needs it, and configure the appropriate applications to use it. The default location to install certificates is /etc/ssl/certs. This enables multiple services to use the same certificate without overly complicated file permissions.

    For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.pem file to the /etc/ssl/certs/ directory on each server.

Rocky Chen
  • 61
  • 1
1

This helped me: http://openssl.6102.n7.nabble.com/create-certificate-chain-td44046.html. Very nice question, but the answer is what mattered.

Java Is Cool
  • 165
  • 2
  • 10