README-create-ca-root-and-intermediate-key-certs.adoc

How to create OSSM Root and Intermediate CA Keys and Certificates

The information have been extracted from this source

1. Modify the root CA configuration file from ./certs-resources/openssl.cnf (should you wish you can even copy it to /root/ca/openssl.cnf to perform the operations there).

2. Create the root key

   cd certs-resources
   mkdir -p certs
   mkdir -p crl
   mkdir -p csr
   mkdir -p newcerts
   mkdir -p private
   mkdir -p intermediate/certs
   mkdir -p intermediate/crl
   mkdir -p intermediate/csr
   mkdir -p intermediate/newcerts
   mkdir -p intermediate/private
   
   
   openssl genrsa -aes256 -out private/ca.key.pem 4096
   
       Enter pass phrase for ca.key.pem: <secretpassword>
       Verifying - Enter pass phrase for ca.key.pem: <secretpassword>
   
   chmod 400 private/ca.key.pem

3. Create the CA Root certificate

   • Give the root certificate a long expiry date, such as 20 years as once the root certificate expires, all certificates signed by the CA become invalid

     openssl req -config openssl.cnf \
           -key private/ca.key.pem \
           -new -x509 -days 7300 -sha256 -extensions v3_ca \
           -out certs/ca.cert.pem
     
     Enter pass phrase for ca.key.pem: <secretpassword>
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     -----
     Country Name (2 letter code) [XX]:GB
     State or Province Name []:England
     Locality Name []:
     Organization Name []:Travel Agency Ltd
     Organizational Unit Name []:Travel Agency Ltd Certificate Authority
     Common Name []:Travel Agency Ltd Root CA
     Email Address []:
     
     chmod 444 certs/ca.cert.pem

4. Verify the root certificate

   openssl x509 -noout -text -in certs/ca.cert.pem

5. Create the intermediate pair

   1. Prepare dirs

      cd ./certs-resources/intermediate
      chmod 700 private
      touch index.txt
      echo 1000 > serial

      • Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists.

        echo 1000 > crlnumber

        Copy/Modify the intermediate CA configuration file from at ./certs-resources/intermediate/openssl.cnf. Five options have been changed compared to the root CA configuration file:

        [ CA_default ]
        #dir             = /root/ca/intermediate
        dir             = ./certs-resources/intermediate
        private_key     = $dir/private/intermediate.key.pem
        certificate     = $dir/certs/intermediate.cert.pem
        crl             = $dir/crl/intermediate.crl.pem
        policy          = policy_loose

   2. Create the intermediate CA key

      cd ../
      
      openssl genrsa -out intermediate/private/intermediate.key.pem 4096
      
      Enter pass phrase for intermediate.key.pem: <LEAVE EMPTY>
      Verifying - Enter pass phrase for intermediate.key.pem: <LEAVE EMPTY>
      
      chmod 400 intermediate/private/intermediate.key.pem

   3. Create the intermediate CA certificate

      • Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.

        openssl req -config intermediate/openssl.cnf -new -sha256 \
              -key intermediate/private/intermediate.key.pem \
              -out intermediate/csr/intermediate.csr.pem
        
        Enter pass phrase for intermediate.key.pem: <secretpassword>
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        -----
        Country Name (2 letter code) [XX]:GB
        State or Province Name []:England
        Locality Name []:
        Organization Name []:Travel Agency Ltd
        Organizational Unit Name []:Travel Agency Ltd Certificate Authority
        Common Name []:Travel Agency Ltd Intermediate CA
        Email Address []:

      • To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate (eg. 10 years)

        openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
              -days 3650 -notext -md sha256 \
              -in intermediate/csr/intermediate.csr.pem \
              -out intermediate/certs/intermediate.cert.pem
        
        Enter pass phrase for ca.key.pem: <secretpassword>
        Sign the certificate? [y/n]: y
        
        chmod 444 intermediate/certs/intermediate.cert.pem

      • The index.txt file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.

        V 250408122707Z 1000 unknown ... /CN=Alice Ltd Intermediate CA

   4. Verify the intermediate certificate

      • As we did for the root certificate, check that the details of the intermediate certificate are correct.

        openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem

      • Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

        openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
        intermediate.cert.pem: OK

6. Create the certificate chain file

   • When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate. To complete the chain of trust, create a CA certificate chain to present to the application.

     • To create the CA certificate chain, concatenate the intermediate and root certificates together. We will use this file later to verify certificates signed by the intermediate CA.

       cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
       chmod 444 intermediate/certs/ca-chain.cert.pem