Skip to content

Instantly share code, notes, and snippets.

@amimof

amimof/root-and-intermediate-ca-chain.md

Last active June 2, 2020 07:25
Show Gist options
  • Save amimof/794eb9548800539f7a6790d1d0c28adf to your computer and use it in GitHub Desktop.
Save amimof/794eb9548800539f7a6790d1d0c28adf to your computer and use it in GitHub Desktop.
Download ZIP
How to create an intermediate certificate authority to issue server certificates using OpenSSL
Raw
root-and-intermediate-ca-chain.md

OpenSSL Configuration

Use this configuration with OpenSSL. You may add real IP and DNS SAN´s (Subject Alternative Name) below under [ alt_names ].

cat <<EOF > openssl.conf 
[ req ]
distinguished_name = req_distinguished_name
[req_distinguished_name]

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign

[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = foo.bar.com
IP.1 = 127.0.0.1
IP.2 = 10.32.0.91
EOF

Root CA

The root certificate authority is typically self-signed and will be used to issue certificates for intermediate certificate authorities.

Create root private key

openssl genrsa -out root-ca-key.pem 2048

Create root CA certificate

The root certificate is self-signed

openssl req \
  -x509 \
  -new -sha256 \
  -nodes \
  -key root-ca-key.pem \
  -days 1826 \
  -out root-ca.pem \
  -subj '/CN=root-ca/C=SE/L=Gothenburg/O=amimof/' \
  -extensions v3_ca \
  -config openssl.conf

Intermediate CA

The intermediate CA can be used to issue certificates used by servers and clients and is signed by the root CA.

Create intermediate private key

openssl genrsa -out intermediate-ca-key.pem 2048

Create intermediate CSR

openssl req \
  -new \
  -sha256 \
  -key intermediate-ca-key.pem \
  -subj '/CN=intermediate-ca/C=SE/L=Gothenburg/O=amimof/' \
  -out intermediate-ca.csr

Sign intermediate CSR with root CA

openssl x509 \
  -req \
  -sha256 \
  -CA root-ca.pem \
  -CAkey root-ca-key.pem \
  -CAcreateserial \
  -out intermediate-ca.pem \
  -days 1826 \
  -extensions v3_ca \
  -in intermediate-ca.csr \
  -extfile openssl.conf

Server Certificates

These certificates are used by servers, clients, applications and are issued by the intermediate CA

Create the private key

openssl genrsa -out server-key.pem 2048

Create the CSR

openssl req \
  -new \
  -sha256 \
  -key server-key.pem \
  -subj '/CN=example.com/C=SE/L=Gothenburg/O=amimof/' \
  -out server.csr

Sign the server CSR with the intermediate CA

openssl x509 \
  -req \
  -sha256 \
  -CA intermediate-ca.pem \
  -CAkey intermediate-ca-key.pem \
  -CAcreateserial \
  -out server.pem \
  -days 1826 \
  -extensions v3_req_server \
  -in server.csr \
  -extfile openssl.conf

Verify

openssl x509 -in root-ca.pem -text -noout
openssl x509 -in intermediate-ca.pem -text -noout
openssl x509 -in server.pem -text -noout
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment