Skip to content

Instantly share code, notes, and snippets.

@jadbaz
Last active November 14, 2022 00:43
Show Gist options
  • Save jadbaz/44ef774d5539983fafb283f4add46d07 to your computer and use it in GitHub Desktop.
Save jadbaz/44ef774d5539983fafb283f4add46d07 to your computer and use it in GitHub Desktop.
OpenSSL command line Root and Intermediate CA

OpenSSL command line Root and Intermediate CA

Creating root, intermediate and end-user certs

Prepare

Create a directory to contain everything

Root

Create directory

mkdir -p ./root

cd ./root

Create index files

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create configuration file

vi rootca.conf

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth

[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth

Generate root CA key (no passphrase)

openssl genrsa -out rootca.key 8192

Create self-signed root CA certificate

openssl req -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt

Then fill in required info

Intermediate CA

Create directory

cd ../

mkdir -p ./interca1

cd ./interca1

Create index files

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create configuration file

Server certificate configuration

vi interca1.conf

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/interca1.crt
database = $dir/certindex
private_key = $dir/interca1.key
serial = $dir/certserial
default_days = 365
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
Client certificate configuration

vi interca1_client.conf

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/interca1.crt
database = $dir/certindex
private_key = $dir/interca1.key
serial = $dir/certserial
default_days = 365
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

Generate intermediate CA key (no passphrase)

openssl genrsa -out interca1.key 8192

Create intermediate CA CSR (Certificate Signing Request)

openssl req -sha256 -new -key interca1.key -out interca1.csr

Then fill in required info. Skip challenge password and optional company name

Sign the intermediate CSR using the root

cd ../root

openssl ca -batch -config rootca.conf -notext -in ../interca1/interca1.csr -out ../interca1/interca1.crt

Creating certificates

Create directory

cd ../interca1

mkdir certs

Generate private key

openssl genrsa -out certs/example.com.key 4096

Create CSR

openssl req -new -sha256 -key certs/example.com.key -out certs/example.com.csr

Then fill in required info. Skip challenge password and optional company name

Sign CSR with intermediate CA

Sign server certificates

openssl ca -batch -config interca1.conf -notext -in certs/example.com.csr -out certs/example.com.crt

Sign client certificates

openssl ca -batch -config interca1_client.conf -notext -in certs/example.com.csr -out certs/example.com.crt

Make certificate chain

cat ../root/rootca.crt interca1.crt > certs/example.com.chain

Collect files

Send the following files to whoever requested the certificate

  • certs/example.com.crt
  • certs/example.com.key
  • certs/example.com.chain

Notes

Inspect a certificate

openssl x509 -in example.com.crt -text -noout

Inspect certificate chain

openssl crl2pkcs7 -nocrl -certfile example.com.chain | openssl pkcs7 -print_certs -text -noout

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment