The information have been extracted from this source
-
Modify the root CA configuration file from ./certs-resources/openssl.cnf (should you wish you can even copy it to
/root/ca/openssl.cnf
to perform the operations there). -
Create the root key
cd certs-resources mkdir -p certs mkdir -p crl mkdir -p csr mkdir -p newcerts mkdir -p private mkdir -p intermediate/certs mkdir -p intermediate/crl mkdir -p intermediate/csr mkdir -p intermediate/newcerts mkdir -p intermediate/private openssl genrsa -aes256 -out private/ca.key.pem 4096 Enter pass phrase for ca.key.pem: <secretpassword> Verifying - Enter pass phrase for ca.key.pem: <secretpassword> chmod 400 private/ca.key.pem
-
Create the CA Root certificate
-
Give the root certificate a long expiry date, such as 20 years as once the root certificate expires, all certificates signed by the CA become invalid
openssl req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem Enter pass phrase for ca.key.pem: <secretpassword> You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:GB State or Province Name []:England Locality Name []: Organization Name []:Travel Agency Ltd Organizational Unit Name []:Travel Agency Ltd Certificate Authority Common Name []:Travel Agency Ltd Root CA Email Address []: chmod 444 certs/ca.cert.pem
-
-
Verify the root certificate
openssl x509 -noout -text -in certs/ca.cert.pem
-
Create the intermediate pair
-
Prepare dirs
cd ./certs-resources/intermediate chmod 700 private touch index.txt echo 1000 > serial
-
Add a
crlnumber
file to the intermediate CA directory tree.crlnumber
is used to keep track of certificate revocation lists.echo 1000 > crlnumber
Copy/Modify the intermediate CA configuration file from at ./certs-resources/intermediate/openssl.cnf. Five options have been changed compared to the root CA configuration file:
[ CA_default ] #dir = /root/ca/intermediate dir = ./certs-resources/intermediate private_key = $dir/private/intermediate.key.pem certificate = $dir/certs/intermediate.cert.pem crl = $dir/crl/intermediate.crl.pem policy = policy_loose
-
-
Create the intermediate CA key
cd ../ openssl genrsa -out intermediate/private/intermediate.key.pem 4096 Enter pass phrase for intermediate.key.pem: <LEAVE EMPTY> Verifying - Enter pass phrase for intermediate.key.pem: <LEAVE EMPTY> chmod 400 intermediate/private/intermediate.key.pem
-
Create the intermediate CA certificate
-
Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.
openssl req -config intermediate/openssl.cnf -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem Enter pass phrase for intermediate.key.pem: <secretpassword> You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:GB State or Province Name []:England Locality Name []: Organization Name []:Travel Agency Ltd Organizational Unit Name []:Travel Agency Ltd Certificate Authority Common Name []:Travel Agency Ltd Intermediate CA Email Address []:
-
To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate (eg. 10 years)
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ -days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem Enter pass phrase for ca.key.pem: <secretpassword> Sign the certificate? [y/n]: y chmod 444 intermediate/certs/intermediate.cert.pem
-
The
index.txt
file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.V 250408122707Z 1000 unknown ... /CN=Alice Ltd Intermediate CA
-
-
Verify the intermediate certificate
-
As we did for the root certificate, check that the details of the intermediate certificate are correct.
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
-
Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem intermediate.cert.pem: OK
-
-
-
Create the certificate chain file
-
When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate. To complete the chain of trust, create a CA certificate chain to present to the application.
-
To create the CA certificate chain, concatenate the intermediate and root certificates together. We will use this file later to verify certificates signed by the intermediate CA.
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem
-
-