Creating a Root CA, intermediate Sub-CA and end entity cert

gistfile1.txt

This gist gives you the commands and config necessary to quickly and safely:

- Create a Root Certififacte Authority (valid until the year ~2045 and whose key is meant to be stored somewhere secure and hard to get at e.g. on USB key in an off-prem vault)
- Create an intermediate sub-root certificate authority (which is used for day to day signing of end-entity certs)
- Create an end-entity cert (e.g. for securing nginx/apache)

For more background, see: https://developers.yubico.com/PIV/Guides/Certificate_authority.html



[ Creating a root CA ]

# mkdir /opt/company_CA && cd /opt/company_CA
# openssl genrsa -aes256 -out private/root_ca.key.pem 3744
# cat>root_ca.crt.conf<<EOF
[ req ]
x509_extensions = v3_ca
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=Company Internal Root-CA
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints=critical,CA:true,pathlen:1
keyUsage=critical,keyCertSign,cRLSign
EOF

# datefudge "2017-01-01 UTC" openssl req -new -sha256 -x509 -set_serial 1 -days 10000 -config root_ca.crt.conf -key private/root_ca.key.pem -out root_ca.crt.pem


[ Creating an intermediate CA ]

# cd /opt/company_CA
# openssl genrsa -aes256 -out private/sub_ca1.key.pem 3744

# cat>sub_ca1.csr.conf<<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=Internal Sub-CA (1)
EOF

# openssl req -sha256 -new -config sub_ca1.csr.conf -key private/sub_ca1.key.pem -nodes -out sub_ca1.csr.pem

# cat>sub_ca1.crt.conf<<EOF
subjectKeyIdentifier=hash
basicConstraints = critical,CA:true,pathlen:0
keyUsage=critical,keyCertSign
EOF

# openssl x509 -sha256 -CA root_ca.crt.pem -CAkey private/root_ca.key.pem -CAserial root_ca.srl -CAcreateserial -days 3700 -req -in sub_ca1.csr.pem -extfile sub_ca1.crt.conf -out sub_ca1.crt.pem

# cat>sub_ca1.ca.conf<<EOF
dir = .
[ ca ]
default_ca = CA_default

[ CA_default ]
serial = $dir/sub_ca1.srl
database = $dir/sub_ca1.db
new_certs_dir = $dir/newcerts/sub_ca1
policy = policy_match
x509_extensions = v3_ca

[ v3_ca ]

[ policy_match ]
commonName = supplied
EOF

# touch sub_ca1.db
# echo 01 > sub_ca1.srl



[ Creating and signing a normal end-entity certificate ]

# cd /opt/company_CA
# mkdir -p ready_for_use/domain.dom/subdomain
# openssl genrsa -out ready_for_use/domain.dom/subdomain/key.pem 3744
# cat>ready_for_use/domain.dom/subdomain/csr.conf<<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=sub.domain.dom
EOF

# openssl req -sha256 -new -config ready_for_use/domain.dom/subdomain/csr.conf -key ready_for_use/domain.dom/subdomain/key.pem -nodes -out ready_for_use/domain.dom/subdomain/csr.pem

# cat>ready_for_use/domain.dom/subdomain/crt.conf<<EOF
basicConstraints = critical,CA:false
keyUsage=critical,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement
extendedKeyUsage=critical,serverAuth,clientAuth,emailProtection
subjectAltName=critical,DNS:sub.domain.dom
EOF

# openssl ca -md sha256 -utf8 -noemailDN -notext -config sub_ca1.ca.conf -cert sub_ca1.crt.pem -keyfile private/sub_ca1.key.pem -enddate 20251201050000Z -extfile ready_for_use/domain.dom/subdomain/crt.conf -in ready_for_use/domain.dom/subdomain/csr.pem -out ready_for_use/domain.dom/subdomain/crt.pem
# cat ready_for_use/domain.dom/subdomain/crt.pem sub_ca1.crt.pem > ready_for_use/domain.dom/subdomain/chained.crt.pem



[ Installing the newly created root certificate authority on Debian/Ubuntu ]

# mkdir /usr/share/ca-certificates/company
# [ copy Root CA cert to /usr/share/ca-certificates/company NOTE: file must be in PEM format and end in .crt ]
# dpkg-reconfigure ca-certificates
# openssl verify -CApath /path/to/root_ca /path/to/end-entity-certificate.pem



[ Convert certificate from PEM to DER format ]

# openssl x509 -in root_ca.crt.pem -outform der -out ready_for_use/root_ca/root_ca.crt.der