![]() Root_ca/serial (a single 0 does not work). ![]() Intermediate_ca/serial (a single 0 does not work). root.pem # one dir up to make the demo easierĭistinguished_name = req_distinguished_name root_ca # helper variable pointing to ca specific filesĬertificate =. Unique_subject = no # recommended for easier certificate rolloverĬopy_extensions = none # don't honor the extensions in the csrĭir =. Serial = $dir/serial # file with incrementing hex serial number for certs intermediate.pem # one dir up to make the demo easier # one dir up to make the demo easierĬertificate =. intermediate_ca # helper variable pointing to ca specific filesĭatabase = $dir/index # database of certs generated by the ca KeyUsage = critical,ke圜ertSign # required to be marked critical. The contents of each of the files in the directory structure are as follows:īasicConstraints = critical,CA:true # recommended to be marked critical. Starting Directory Structure File Contents Setting a default number of days for issued certificates in the CA configuration files.This requires changes to the configuration file Creating a subdirectory in the CA's directory for issued certificates.This will require changes to the configuration file. Moving each CA's configuration file, private key (generated later), and certificate file (generated later) to the CA's directory.If this is a more permanent CA, the following changes are probably a good idea: Root_ca/ # state files specific to the root CA Serial # an auto-incrementing serial number for issued certificates Index # a text database of issued certificates Intermediate_ca/ # state files specific to the intermediate CA Root_req.config # configuration for the root CA's csr Intermediate_req.config # configuration for the intermediate CA's csr Leaf_req.config # configuration for the leaf cert's csr nfig # configuration for the intermediate CA ca.ext # the extensions required for a CA certificate for signing certs We will need the following directory structure before starting. I would recommend reading the warnings and bugs section of the openssl ca man page before or after reading this answer. These commands will also track your certs in a text database and auto-increment a serial number. They are a bit of an overkill if you just want a few certs in a chain, which can be done with just the x509 command. These commands rely on some setup which I will describe below. Openssl verify -x509_strict -CAfile root.pem -untrusted intermediate.pem leaf.pem Openssl ca -in leaf.csr -out leaf.pem -config nfig -days 365 Openssl req -new -key leaf.key -out leaf.csr -config leaf_req.config Openssl ca -in intermediate.csr -out intermediate.pem -config nfig -extfile ca.ext -days 730 Openssl req -new -key intermediate.key -out intermediate.csr -config intermediate_req.config ![]() Openssl genrsa -out intermediate.key 2048 Openssl ca -in root.csr -out root.pem -config nfig -selfsign -extfile ca.ext -days 1095 Openssl req -new -key root.key -out root.csr -config root_req.config Summary of the commands used to create a root CA, an intermediate CA, and a leaf certificate: openssl genrsa -out root.key 2048 I also changed the openssl.cnf file: īasicConstraints=CA:TRUE # prev value was FALSE Openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request Openssl req -new -keyout B.key -out B.request -days 365 I found the answer in this article: Certificate B (chain A -> B) can be created with these two commands and this approach seems to be working well.: # Create a certificate request What command should I use to create certificates B and beyond? This command implicitly depends on the root certificate, for which it finds the required info within the OpenSSL configuration file, however, certificate B must only rely on A, which is not registered in the config file, so the previous command won't work here.Openssl ca -in client.csr -out client.cer Openssl req -new -key client.key -out client.csr Openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem Openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key I am currently able to create the Root and A certificates via the below, but I haven't found how to make a longer chain: # Root certificate is created like this: In retrospect, my question is not yet completely answered, and to clarify the problem, I'll represent my certificate chain like this: Root > A > B > C >. Does anyone know where I can find this information? The next step would be to create the derived certificates, however, I can't seem to find the documentation on how to do this. I've managed to create a self-signed certificate using openssl, and I want to use it as the Root certificate. I would like to set up my own OCSP Responder for testing purposes, and this requires me to have a Root certificate with a few certificates generated from it.
0 Comments
Leave a Reply. |