How to create my own certificate chain?
I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.
I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?
Edit
In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:
ROOT -> A -> B -> C -> ...
I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.
My command for creating the root certificate is:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.
Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command line should I use to create certificates B and beyond?
Edit
I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the openssl.cnf file:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
This approach seems to be working well.
ssl certificate
add a comment |
I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.
I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?
Edit
In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:
ROOT -> A -> B -> C -> ...
I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.
My command for creating the root certificate is:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.
Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command line should I use to create certificates B and beyond?
Edit
I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the openssl.cnf file:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
This approach seems to be working well.
ssl certificate
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
2
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08
add a comment |
I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.
I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?
Edit
In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:
ROOT -> A -> B -> C -> ...
I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.
My command for creating the root certificate is:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.
Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command line should I use to create certificates B and beyond?
Edit
I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the openssl.cnf file:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
This approach seems to be working well.
ssl certificate
I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.
I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?
Edit
In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:
ROOT -> A -> B -> C -> ...
I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.
My command for creating the root certificate is:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.
Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command line should I use to create certificates B and beyond?
Edit
I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:
# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365
# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the openssl.cnf file:
[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE
This approach seems to be working well.
ssl certificate
ssl certificate
edited Apr 8 '10 at 11:28
StackedCrooked
asked Mar 31 '10 at 15:38
StackedCrookedStackedCrooked
1,31592642
1,31592642
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
2
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08
add a comment |
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
2
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
2
2
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08
add a comment |
5 Answers
5
active
oldest
votes
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert withopenssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants ademoCA
directory and various accouterments.
– Iiridayn
Jun 28 '17 at 20:28
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
add a comment |
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on replacing *_A with *_B and
CA_certificate_you_created.crt
withcrt_A.crt
andCA_key_you_created.key
withkey_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
add a comment |
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine
2
This was helpful. On Ubuntu 14.04 I found the file at/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
add a comment |
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes
(short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).
add a comment |
I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.
Run using: bash make-root-ca-and-certificates.sh 'example.com'
Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'
make-root-ca-and-certificates.sh
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa
-out certs/ca/my-root-ca.key.pem
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req
-x509
-new
-nodes
-key certs/ca/my-root-ca.key.pem
-days 1024
-out certs/ca/my-root-ca.crt.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa
-out certs/server/privkey.pem
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new
-key certs/server/privkey.pem
-out certs/tmp/csr.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509
-req -in certs/tmp/csr.pem
-CA certs/ca/my-root-ca.crt.pem
-CAkey certs/ca/my-root-ca.key.pem
-CAcreateserial
-out certs/server/cert.pem
-days 500
# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa
-in certs/server/privkey.pem
-pubout -out certs/client/pubkey.pem
# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f126121%2fhow-to-create-my-own-certificate-chain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert withopenssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants ademoCA
directory and various accouterments.
– Iiridayn
Jun 28 '17 at 20:28
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
add a comment |
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert withopenssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants ademoCA
directory and various accouterments.
– Iiridayn
Jun 28 '17 at 20:28
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
add a comment |
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
edited Apr 7 '10 at 15:34
quack quixote
35.3k1087119
35.3k1087119
answered Mar 31 '10 at 18:03
twktwk
495148
495148
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert withopenssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants ademoCA
directory and various accouterments.
– Iiridayn
Jun 28 '17 at 20:28
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
add a comment |
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert withopenssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants ademoCA
directory and various accouterments.
– Iiridayn
Jun 28 '17 at 20:28
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
Thanks, you instructions worked after some tweaking of my openssl.conf file.
– StackedCrooked
Apr 1 '10 at 7:59
3
3
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
@twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.
– quack quixote
Apr 7 '10 at 19:08
2
2
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with
openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants a demoCA
directory and various accouterments.– Iiridayn
Jun 28 '17 at 20:28
Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with
openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key
, but it wants a demoCA
directory and various accouterments.– Iiridayn
Jun 28 '17 at 20:28
13
13
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
"You may need to add some options..." really removes the utility from this answer.
– Zach
Feb 8 '18 at 18:52
add a comment |
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on replacing *_A with *_B and
CA_certificate_you_created.crt
withcrt_A.crt
andCA_key_you_created.key
withkey_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
add a comment |
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on replacing *_A with *_B and
CA_certificate_you_created.crt
withcrt_A.crt
andCA_key_you_created.key
withkey_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
add a comment |
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on replacing *_A with *_B and
CA_certificate_you_created.crt
withcrt_A.crt
andCA_key_you_created.key
withkey_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
Once you have created your CA you could use it to sign thus :
Create a key :
openssl genrsa -out key_A.key 1024
Create a csr :
openssl req -new -key key_A.key -out csr_A.csr
You are about to be asked to enter information etc....
Sign it :
openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
and so on replacing *_A with *_B and
CA_certificate_you_created.crt
withcrt_A.crt
andCA_key_you_created.key
withkey_A.key
Your changing :
basicConstraints=CA:TRUE # prev value was FALSE
means that the certificates you issue can be used to sign other certificates.
edited Jun 24 '14 at 10:54
answered Apr 29 '12 at 17:54
Mr_and_Mrs_DMr_and_Mrs_D
4513826
4513826
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
add a comment |
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
thx, very helpful
– flotto
Mar 27 '17 at 7:59
thx, very helpful
– flotto
Mar 27 '17 at 7:59
1
1
What .crt file?
– MickyD
Oct 1 '18 at 5:12
What .crt file?
– MickyD
Oct 1 '18 at 5:12
add a comment |
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine
2
This was helpful. On Ubuntu 14.04 I found the file at/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
add a comment |
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine
2
This was helpful. On Ubuntu 14.04 I found the file at/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
add a comment |
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine
OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine
answered Mar 31 '10 at 17:51
SpiffSpiff
78.2k10119163
78.2k10119163
2
This was helpful. On Ubuntu 14.04 I found the file at/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
add a comment |
2
This was helpful. On Ubuntu 14.04 I found the file at/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
2
2
This was helpful. On Ubuntu 14.04 I found the file at
/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
This was helpful. On Ubuntu 14.04 I found the file at
/usr/lib/ssl/misc/CA.pl
– Colin M
Jan 25 '17 at 22:00
add a comment |
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes
(short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).
add a comment |
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes
(short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).
add a comment |
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes
(short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).
You can do that in one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
You can also add -nodes
(short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.
The days
parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.
Add -subj '/CN=localhost'
to suppress questions about the contents of the certificate (replace localhost
with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).
answered Jan 29 at 6:01
vharronvharron
1012
1012
add a comment |
add a comment |
I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.
Run using: bash make-root-ca-and-certificates.sh 'example.com'
Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'
make-root-ca-and-certificates.sh
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa
-out certs/ca/my-root-ca.key.pem
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req
-x509
-new
-nodes
-key certs/ca/my-root-ca.key.pem
-days 1024
-out certs/ca/my-root-ca.crt.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa
-out certs/server/privkey.pem
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new
-key certs/server/privkey.pem
-out certs/tmp/csr.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509
-req -in certs/tmp/csr.pem
-CA certs/ca/my-root-ca.crt.pem
-CAkey certs/ca/my-root-ca.key.pem
-CAcreateserial
-out certs/server/cert.pem
-days 500
# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa
-in certs/server/privkey.pem
-pubout -out certs/client/pubkey.pem
# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem
add a comment |
I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.
Run using: bash make-root-ca-and-certificates.sh 'example.com'
Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'
make-root-ca-and-certificates.sh
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa
-out certs/ca/my-root-ca.key.pem
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req
-x509
-new
-nodes
-key certs/ca/my-root-ca.key.pem
-days 1024
-out certs/ca/my-root-ca.crt.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa
-out certs/server/privkey.pem
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new
-key certs/server/privkey.pem
-out certs/tmp/csr.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509
-req -in certs/tmp/csr.pem
-CA certs/ca/my-root-ca.crt.pem
-CAkey certs/ca/my-root-ca.key.pem
-CAcreateserial
-out certs/server/cert.pem
-days 500
# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa
-in certs/server/privkey.pem
-pubout -out certs/client/pubkey.pem
# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem
add a comment |
I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.
Run using: bash make-root-ca-and-certificates.sh 'example.com'
Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'
make-root-ca-and-certificates.sh
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa
-out certs/ca/my-root-ca.key.pem
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req
-x509
-new
-nodes
-key certs/ca/my-root-ca.key.pem
-days 1024
-out certs/ca/my-root-ca.crt.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa
-out certs/server/privkey.pem
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new
-key certs/server/privkey.pem
-out certs/tmp/csr.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509
-req -in certs/tmp/csr.pem
-CA certs/ca/my-root-ca.crt.pem
-CAkey certs/ca/my-root-ca.key.pem
-CAcreateserial
-out certs/server/cert.pem
-days 500
# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa
-in certs/server/privkey.pem
-pubout -out certs/client/pubkey.pem
# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem
I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server
It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.
Run using: bash make-root-ca-and-certificates.sh 'example.com'
Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'
make-root-ca-and-certificates.sh
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa
-out certs/ca/my-root-ca.key.pem
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req
-x509
-new
-nodes
-key certs/ca/my-root-ca.key.pem
-days 1024
-out certs/ca/my-root-ca.crt.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa
-out certs/server/privkey.pem
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new
-key certs/server/privkey.pem
-out certs/tmp/csr.pem
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509
-req -in certs/tmp/csr.pem
-CA certs/ca/my-root-ca.crt.pem
-CAkey certs/ca/my-root-ca.key.pem
-CAcreateserial
-out certs/server/cert.pem
-days 500
# Create a public key, for funzies
# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
openssl rsa
-in certs/server/privkey.pem
-pubout -out certs/client/pubkey.pem
# Put things in their proper place
rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem
answered Nov 6 '18 at 22:59
Ralph BisschopsRalph Bisschops
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f126121%2fhow-to-create-my-own-certificate-chain%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The link at the bottom in edit section is broken
– enthusiasticgeek
Jul 15 '14 at 15:58
2
Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…
– Iomanip
Jul 18 '15 at 6:51
Refer 8gwifi.org/cafunctions.jsp
– anish
Dec 4 '18 at 5:08