Self Signed Certificate with Custom Root CA

self-signed-certificate-with-custom-ca.md

Create Root CA (Done once)

TLDR

# Generate CA key and cert (use -nodes to remove pass phrase)
openssl req -x509 -nodes -newkey rsa:2048 -keyout rootCA.key \
  -days 1024 -out rootCA.crt \
  -subj "/C=SG/OU=www.org/O=MyOrg, Inc./CN=My Org Root CA"
# Generate server key and CSR (OpenSSL 1.1.1+)
openssl req -newkey rsa:2048 -days 3650 -nodes \
  -keyout mydomain.com.key \
  -subj "/C=SG/L=Singapore/O=MyOrg, Inc./CN=mydomain.com" \
  -addext "subjectAltName=DNS:mydomain.com,DNS:*.mydomain.com,IP:127.0.0.1" \
  -addext "keyUsage=digitalSignature,keyEncipherment" \
  -addext "basicConstraints=CA:false" \
  -out mydomain.com.csr
# Generate server key and CSR (OpenSSL <1.1.1)
openssl req -newkey rsa:2048 -days 3650 -nodes \
  -keyout mydomain.com.key \
  -subj "/C=SG/L=Singapore/O=MyOrg, Inc./CN=mydomain.com" \
  -config ssl.conf \
  -out mydomain.com.csr
# Sign server certificate using CA key and cert (see below for ssl.conf)
openssl x509 -req \
  -in mydomain.com.csr \
  -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
  -out mydomain.com.crt -days 1825 -sha256 \
  -extfile ssl.conf -extensions v3_ca 

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

# Generate Private Key (PKCS#8). Note that genpkey has superseded genrsa (remove -aes256 to remove pass phrase)
openssl genpkey -algorithm RSA -aes256 -pkeyopt rsa_keygen_bits:2048 -out genpkey.key

# [Superseded by genpkey] Genrate RSA Private Key (PKCS#1) (use -nodes to remove pass phrase)
openssl genrsa -des3 -out rootCA.key 2048

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each server)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create the certificate key

# No passphrase
openssl genrsa -out mydomain.com.key 2048
# With passphrase
openssl genrsa -des3 -out mydomain.com.key 2048

Create the signing (csr)

The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.

Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

I will describe here two ways to generate

Method A (Interactive)

If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.

openssl req -new -key mydomain.com.key -out mydomain.com.csr

Method B (One Liner)

This method generates the same output as Method A but it's suitable for use in your automation :) .

openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr

If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.

# OpenSSL 1.1.1 and above
openssl req -new -sha256 \
    -key mydomain.com.key \
    -subj "/C=SG/L=Singapore/O=MyOrg, Inc./CN=mydomain.com" \
    -addext "subjectAltName=DNS:localhost,DNS:*.local" \
    -out private.csr

# Using ssl.conf
openssl req -new -sha256 \
    -key mydomain.com.key \
    -out private.csr \
    -config ssl.conf

Silent, no prompt:

[ req ]
default_bits       = 4096
prompt             = no
distinguished_name = req_distinguished_name
req_extensions     = v3_ca

[ req_distinguished_name ]
C  = SG
L  = Singapore
O  = ACME
CN = localhost

[ v3_ca ]
authorityKeyIdentifier=keyid, issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = *.local
IP.1    = 127.0.0.1

With prompt:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = v3_ca

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = SG
localityName                = Locality Name (eg, city)
localityName_default        = Singapore
organizationName            = Organization Name (eg, company)
organizationName_default    = ACME
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost

[ v3_ca ]
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = *.local

Reference:

• https://www.openssl.org/docs/man1.1.0/man1/req.html

• https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

Verify the csr's content

openssl req -in mydomain.com.csr -noout -text

Generate the certificate using the mydomain csr and key along with the CA Root key

The first time you use your CA to sign a certificate you can use the -CAcreateserial option. This option will create a file (.srl) containing a serial number. Subsequently you will have to use the -CAserial option (and no more -CAcreateserial) followed with the name of the .srl file containing your serial number. This file will be incremented each time you sign a new certificate. And we can have an idea of the number of certificate created by a CA.

openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256

Verify the certificate's content

openssl x509 -in mydomain.com.crt -text -noout