Skip to content

Intermediate OpenSSL CA

Torrie Fischer edited this page May 28, 2014 · 1 revision

Generating an intermediate CA

This document will walk you through generating an intermediate CA, using hackerbots.kickass.systems as the example

First, generate the CSR:

$ openssl req -nodes -new -x509 -keyout hackerbots-ca.key.pem -out hackerbots-ca.csr.pem
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Ohio
Locality Name (eg, city) [Default City]:Akron
Organization Name (eg, company) [Default Company Ltd]:Hackerbots
Organizational Unit Name (eg, section) []:Intermediate Certificate Authority
Common Name (eg, your name or your server's hostname) []:hackerbots.net CA
Email Address []:tdfischer@hackerbots.net

Next, sign the CSR with the upstream CA:

openssl ca -keyfile ca.key.pem \
  -cert ca.cert.pem \
  -extensions v3_ca \
  -notext -md sha1 \
  -in hackerbots-ca.csr.pem \
  -out hackerbots-ca.cert.pem

Optionally, verify that the certificate is valid:

openssl verify -CAfile ca.cert.pem hackerbots-ca.cert.pem

Finally, create an certificate chain file that includes the upstream CA and the intermediate:

cat hackerbots-ca.cert.pem ca.cert.pem > hackerbots-ca-chain.cert.pem

Certificates may be verified against this chain via:

openssl verify -CAfile hackerbots-ca-chain.cert.pem hackerbots-subcert.cert.pem
Clone this wiki locally
You can’t perform that action at this time.