5

I use my own CA to create SSL certs for services in my infra. These certs are signed directly by my CA.

It comes to me that this is likely a weak strategy, as if the cert was to be compromised, I need to create new ones from the one CA. If the CA gets compromised, game over as every service will need to be updated.

So my understanding is that the typical way to 'protect' oneself and 'dilute' concern is to create a chain of certificates, and sign the service certificates with the end of the chain, so that if the signer gets compromised, the next level up can be used to create a new signing cert.

Do I get that right?

What I'd like to do then is create my own cert chain.

The whole TLS/SSL stuff is still a bit hazy to me, but as I can see, one first create a master key, with openssl genrsa then create a self-signed certificate using that key with openssl req -x509 -new to create the CA.

Then I can create new keys, and certificate signing requests with openssl req -new -key' and sign the request with my CA withopenssl x509 -req -CA ca.pem ...`

So, to create a certificate chain, what am supposed to do?

Do I simply create a new key, new signing request, and sign it with the last signed certificate instead of the CA? And so on until I have enough levels of protection, then sign all cert/key pairs with the lowest level cert?

This stuff is confusing and I'd like to get it right ;-)

Everything I find only about TLS is overwhelmingly complicated, while the 'simple' tutorials are obscure. I'm looking through the openssl man-pages but I'd like to get a simple explanation of the process, then I'll make sure to get each step right.

Thanks for your insight.

MrE
  • 408
  • 1
  • 5
  • 14

2 Answers2

5

You sign an intermediate CA request with the root CA. With this signing certificate authority the root CA can remain offline.

The root CA can still be trusted and issue replacement signing CAs if necessary. The challenge then becomes issuing certificate revocations, especially if you don't control all clients.

The process is somewhat involved if you do it manually. See https://jamielinux.com/docs/openssl-certificate-authority/ for a guide.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • also found this blog that covers the same but tend to explain the commands in more details: https://evilshit.wordpress.com/2013/06/19/how-to-create-your-own-pki-with-openssl/ – MrE Dec 13 '15 at 20:39
  • 1
    I am not affiliated with Jamie Nguyen who wrote that guide. It is one of the few I found that describe openssl based two tier CA, with CRL and OCSP. Which are features you want given the desire to secure and maintain your PKI. – John Mahowald Jun 06 '18 at 11:28
-2

Seems like a lot of fuss, when Let's Encrypt is now in Public Beta...

https://letsencrypt.org/

Gordon Bell
  • 338
  • 2
  • 12