Skip to content

Instantly share code, notes, and snippets.

@jadbaz

jadbaz/OpenSSL_command_line_Root_and_Intermediate_CA.md

Last active April 9, 2025 15:04
Show Gist options
  • Save jadbaz/9350f4df4e4ef4c5d256889aa3d5a5ed to your computer and use it in GitHub Desktop.
Save jadbaz/9350f4df4e4ef4c5d256889aa3d5a5ed to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL command line Root and Intermediate CA
Raw
OpenSSL_command_line_Root_and_Intermediate_CA.md

OpenSSL command line Root and Intermediate CA

Creating root, intermediate and end-user certs

Prepare

Create a directory to contain everything

Create index files

touch certindex
echo 1000 > certserial
echo 1000 > crlnumber

Create configuration file

vi ca.conf

[ ca ]
default_ca = myca

[ crl_ext ]
issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always

[ myca ]
dir = ./
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha256
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional

[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[ v3_ca ]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName  = @alt_names
authorityInfoAccess = @ocsp_section

[alt_names]
DNS.0 = Sparkling Intermidiate CA 1
DNS.1 = Sparkling CA Intermidiate 1

[crl_section]
URI.0 = http://pki.sparklingca.com/SparklingRoot.crl
URI.1 = http://pki.backup.com/SparklingRoot.crl

[ocsp_section]
caIssuers;URI.0 = http://pki.sparklingca.com/SparklingRoot.crt
caIssuers;URI.1 = http://pki.backup.com/SparklingRoot.crt
OCSP;URI.0 = http://pki.sparklingca.com/ocsp/
OCSP;URI.1 = http://pki.backup.com/ocsp

Root

Generate root CA key (no passphrase)

openssl genrsa -out rootca.key 8192

Create self-signed root CA certificate

openssl req -sha256 -new -x509 -days 3650 -key rootca.key -out rootca.crt

Then fill in required info

Intermediate CA

Generate intermediate CA key (no passphrase)

openssl genrsa -out interca1.key 8192

Create intermediate CA CSR (Certificate Signing Request)

openssl req -sha256 -new -key interca1.key -out interca1.csr Then fill in required info. Skip challenge password and optional company name

Sign the intermediate CSR using the root

openssl ca -batch -config ca.conf -notext -in interca1.csr -out interca1.crt

Creating certificates

Make a directory for user certificates

mkdir certs

Generate private key

openssl genrsa -out certs/example.com.key 4096

Create CSR

openssl req -new -sha256 -key certs/example.com.key -out certs/example.com.csr

Fill in required info. Skip challenge password and optional company name

Sign CSR with intermediate CA

openssl ca -batch -config ca.conf -notext -in certs/example.com.csr -out certs/example.com.crt

Make certificate chain

cat rootca.crt interca1.crt > certs/example.com.chain

Collect files

Send the following files to whoever requested the certificate

  • certs/example.com.crt
  • certs/example.com.key
  • certs/example.com.chain

Notes

Inspect a certificate's content

openssl x509 -in example.com.crt -text -noout | less

Reference

@Piknik1990
Copy link

Piknik1990 commented Apr 9, 2025
edited
Loading

As I see it, according to these instructions, I have signed a user certificate not with an intermediate certificate, but with a CA

$ openssl x509 -noout -text -in rootca.crt | grep -e Issuer: -e Subject:                           
        Issuer: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA                                 
        Subject: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA                                
$ openssl x509 -noout -text -in interca1.crt | grep -e Issuer: -e Subject:                         
        Issuer: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA                                 
        Subject: CN = Private Cloud Intermediate CA, ST = MSK, C = RU, O = "VK, Inc."                                 
$ openssl x509 -noout -text -in certs/example.com.crt | grep -e Issuer: -e Subject:                             
        Issuer: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA                                 
        Subject: CN = lk.corp.ru, ST = MSK, C = RU, O = "VK, Inc."
       
$ openssl verify -CAfile rootca.crt interca1.crt 
interca1.crt: OK
$ cat rootca.crt interca1.crt > ca.chain
$ openssl verify -CAfile ca.chain certs/example.com.crt
certs/example.com.crt: OK
$ openssl verify -CAfile rootca.crt certs/example.com.crt
certs/example.com.crt: OK

In order to honestly sign a user certificate with an intermediate one, you need to add this segment to the config.:

$ vi ca.conf
...
[ v3_req ]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
...

And instead of

openssl ca -batch -config ca.conf -notext -in certs/example.com.csr -out certs/example.com.crt

run

openssl x509 -req -days 365 -in certs/example.com.csr -CA interca1.crt -CAkey interca1.key -CAcreateserial -out certs/example.com.crt -extfile ca.conf -extensions v3_req

It would be more correct.:

$ openssl x509 -noout -text -in rootca.crt | grep -e Issuer: -e Subject:
        Issuer: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA
        Subject: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA
$ openssl x509 -noout -text -in interca1.crt | grep -e Issuer: -e Subject:
        Issuer: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = Private Cloud Root CA
        Subject: CN = Private Cloud Intermediate CA, ST = MSK, C = RU, O = "VK, Inc."
$ openssl x509 -noout -text -in certs/example.com.crt | grep -e Issuer: -e Subject: 
        Issuer: CN = Private Cloud Intermediate CA, ST = MSK, C = RU, O = "VK, Inc."
        Subject: C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = lk.corp.ru

$ openssl verify -CAfile rootca.crt interca1.crt 
interca1.crt: OK
$ cat rootca.crt interca1.crt > ca.chain
$ openssl verify -CAfile ca.chain certs/example.com.crt
certs/example.com.crt: OK
$ openssl verify -CAfile rootca.crt certs/example.com.crt
C = RU, ST = MSK, L = MSK, O = "VK, Inc.", CN = lk.corp.ru
error 20 at 0 depth lookup: unable to get local issuer certificate
error certs/example.com.crt: verification failed

Maybe it can be made more beautiful somehow, but I don't care.

UPD: My openssl version:

# openssl version                                                                              
OpenSSL 1.1.1w  FIPS 11 Sep 2023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment