How to create my own certificate chain?












56















I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.



I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?



Edit

In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:



ROOT -> A -> B -> C -> ...



I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.



My command for creating the root certificate is:



openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem


Certificate A is created like this:



openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer


This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.



Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.



What command line should I use to create certificates B and beyond?



Edit

I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:



# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365

# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request


I also changed the openssl.cnf file:



[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE


This approach seems to be working well.










share|improve this question

























  • The link at the bottom in edit section is broken

    – enthusiasticgeek
    Jul 15 '14 at 15:58






  • 2





    Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

    – Iomanip
    Jul 18 '15 at 6:51











  • Refer 8gwifi.org/cafunctions.jsp

    – anish
    Dec 4 '18 at 5:08
















56















I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.



I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?



Edit

In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:



ROOT -> A -> B -> C -> ...



I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.



My command for creating the root certificate is:



openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem


Certificate A is created like this:



openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer


This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.



Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.



What command line should I use to create certificates B and beyond?



Edit

I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:



# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365

# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request


I also changed the openssl.cnf file:



[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE


This approach seems to be working well.










share|improve this question

























  • The link at the bottom in edit section is broken

    – enthusiasticgeek
    Jul 15 '14 at 15:58






  • 2





    Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

    – Iomanip
    Jul 18 '15 at 6:51











  • Refer 8gwifi.org/cafunctions.jsp

    – anish
    Dec 4 '18 at 5:08














56












56








56


31






I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.



I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?



Edit

In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:



ROOT -> A -> B -> C -> ...



I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.



My command for creating the root certificate is:



openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem


Certificate A is created like this:



openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer


This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.



Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.



What command line should I use to create certificates B and beyond?



Edit

I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:



# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365

# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request


I also changed the openssl.cnf file:



[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE


This approach seems to be working well.










share|improve this question
















I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.



I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?



Edit

In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:



ROOT -> A -> B -> C -> ...



I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.



My command for creating the root certificate is:



openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem


Certificate A is created like this:



openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer


This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.



Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.



What command line should I use to create certificates B and beyond?



Edit

I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:



# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365

# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request


I also changed the openssl.cnf file:



[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE


This approach seems to be working well.







ssl certificate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 8 '10 at 11:28







StackedCrooked

















asked Mar 31 '10 at 15:38









StackedCrookedStackedCrooked

1,31592642




1,31592642













  • The link at the bottom in edit section is broken

    – enthusiasticgeek
    Jul 15 '14 at 15:58






  • 2





    Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

    – Iomanip
    Jul 18 '15 at 6:51











  • Refer 8gwifi.org/cafunctions.jsp

    – anish
    Dec 4 '18 at 5:08



















  • The link at the bottom in edit section is broken

    – enthusiasticgeek
    Jul 15 '14 at 15:58






  • 2





    Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

    – Iomanip
    Jul 18 '15 at 6:51











  • Refer 8gwifi.org/cafunctions.jsp

    – anish
    Dec 4 '18 at 5:08

















The link at the bottom in edit section is broken

– enthusiasticgeek
Jul 15 '14 at 15:58





The link at the bottom in edit section is broken

– enthusiasticgeek
Jul 15 '14 at 15:58




2




2





Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

– Iomanip
Jul 18 '15 at 6:51





Up to 2015 the article mentioned on the last edit of this post is dead. So you can check the page through a web archive: web.archive.org/web/20100504162138/http://www.ibm.com/…

– Iomanip
Jul 18 '15 at 6:51













Refer 8gwifi.org/cafunctions.jsp

– anish
Dec 4 '18 at 5:08





Refer 8gwifi.org/cafunctions.jsp

– anish
Dec 4 '18 at 5:08










5 Answers
5






active

oldest

votes


















26














You can use OpenSSL directly.





  1. Create a Certificate Authority private key (this is your most important key):



    openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key



  2. Create your CA self-signed certificate:



    openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem



  3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:



    openssl genrsa -out client.key 1024
    openssl req -new -key client.key -out client.csr
    openssl ca -in client.csr -out client.cer



(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)






share|improve this answer


























  • Thanks, you instructions worked after some tweaking of my openssl.conf file.

    – StackedCrooked
    Apr 1 '10 at 7:59






  • 3





    @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

    – quack quixote
    Apr 7 '10 at 19:08






  • 2





    Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

    – Iiridayn
    Jun 28 '17 at 20:28






  • 13





    "You may need to add some options..." really removes the utility from this answer.

    – Zach
    Feb 8 '18 at 18:52



















11














Once you have created your CA you could use it to sign thus :





  • Create a key :



    openssl genrsa -out key_A.key  1024



  • Create a csr :



    openssl req -new -key key_A.key -out csr_A.csr
    You are about to be asked to enter information etc....



  • Sign it :



    openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
    -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt


    and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key




Your changing :



basicConstraints=CA:TRUE  # prev value was FALSE


means that the certificates you issue can be used to sign other certificates.






share|improve this answer


























  • thx, very helpful

    – flotto
    Mar 27 '17 at 7:59






  • 1





    What .crt file?

    – MickyD
    Oct 1 '18 at 5:12



















7














OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.



Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.



If I recall correctly, the syntax goes something like this:



CA.pl -newca    # Create a new root CA  

CA.pl -newreq # Create a new CSR

CA.pl -sign # Sign a CSR, creating a cert

CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine





share|improve this answer



















  • 2





    This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

    – Colin M
    Jan 25 '17 at 22:00



















0














You can do that in one command:



openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.



The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.



Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).



Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).






share|improve this answer































    -1














    I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server



    It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.



    Run using: bash make-root-ca-and-certificates.sh 'example.com'



    Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'



    make-root-ca-and-certificates.sh



    #!/bin/bash
    FQDN=$1

    # make directories to work from
    mkdir -p certs/{server,client,ca,tmp}

    # Create your very own Root Certificate Authority
    openssl genrsa
    -out certs/ca/my-root-ca.key.pem
    2048

    # Self-sign your Root Certificate Authority
    # Since this is private, the details can be as bogus as you like
    openssl req
    -x509
    -new
    -nodes
    -key certs/ca/my-root-ca.key.pem
    -days 1024
    -out certs/ca/my-root-ca.crt.pem
    -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

    # Create a Device Certificate for each domain,
    # such as example.com, *.example.com, awesome.example.com
    # NOTE: You MUST match CN to the domain name or ip address you want to use
    openssl genrsa
    -out certs/server/privkey.pem
    2048

    # Create a request from your Device, which your Root CA will sign
    openssl req -new
    -key certs/server/privkey.pem
    -out certs/tmp/csr.pem
    -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

    # Sign the request from Device with your Root CA
    # -CAserial certs/ca/my-root-ca.srl
    openssl x509
    -req -in certs/tmp/csr.pem
    -CA certs/ca/my-root-ca.crt.pem
    -CAkey certs/ca/my-root-ca.key.pem
    -CAcreateserial
    -out certs/server/cert.pem
    -days 500

    # Create a public key, for funzies
    # see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
    openssl rsa
    -in certs/server/privkey.pem
    -pubout -out certs/client/pubkey.pem

    # Put things in their proper place
    rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
    rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
    cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem





    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f126121%2fhow-to-create-my-own-certificate-chain%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      26














      You can use OpenSSL directly.





      1. Create a Certificate Authority private key (this is your most important key):



        openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key



      2. Create your CA self-signed certificate:



        openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem



      3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:



        openssl genrsa -out client.key 1024
        openssl req -new -key client.key -out client.csr
        openssl ca -in client.csr -out client.cer



      (You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)






      share|improve this answer


























      • Thanks, you instructions worked after some tweaking of my openssl.conf file.

        – StackedCrooked
        Apr 1 '10 at 7:59






      • 3





        @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

        – quack quixote
        Apr 7 '10 at 19:08






      • 2





        Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

        – Iiridayn
        Jun 28 '17 at 20:28






      • 13





        "You may need to add some options..." really removes the utility from this answer.

        – Zach
        Feb 8 '18 at 18:52
















      26














      You can use OpenSSL directly.





      1. Create a Certificate Authority private key (this is your most important key):



        openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key



      2. Create your CA self-signed certificate:



        openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem



      3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:



        openssl genrsa -out client.key 1024
        openssl req -new -key client.key -out client.csr
        openssl ca -in client.csr -out client.cer



      (You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)






      share|improve this answer


























      • Thanks, you instructions worked after some tweaking of my openssl.conf file.

        – StackedCrooked
        Apr 1 '10 at 7:59






      • 3





        @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

        – quack quixote
        Apr 7 '10 at 19:08






      • 2





        Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

        – Iiridayn
        Jun 28 '17 at 20:28






      • 13





        "You may need to add some options..." really removes the utility from this answer.

        – Zach
        Feb 8 '18 at 18:52














      26












      26








      26







      You can use OpenSSL directly.





      1. Create a Certificate Authority private key (this is your most important key):



        openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key



      2. Create your CA self-signed certificate:



        openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem



      3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:



        openssl genrsa -out client.key 1024
        openssl req -new -key client.key -out client.csr
        openssl ca -in client.csr -out client.cer



      (You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)






      share|improve this answer















      You can use OpenSSL directly.





      1. Create a Certificate Authority private key (this is your most important key):



        openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key



      2. Create your CA self-signed certificate:



        openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem



      3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:



        openssl genrsa -out client.key 1024
        openssl req -new -key client.key -out client.csr
        openssl ca -in client.csr -out client.cer



      (You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Apr 7 '10 at 15:34









      quack quixote

      35.3k1087119




      35.3k1087119










      answered Mar 31 '10 at 18:03









      twktwk

      495148




      495148













      • Thanks, you instructions worked after some tweaking of my openssl.conf file.

        – StackedCrooked
        Apr 1 '10 at 7:59






      • 3





        @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

        – quack quixote
        Apr 7 '10 at 19:08






      • 2





        Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

        – Iiridayn
        Jun 28 '17 at 20:28






      • 13





        "You may need to add some options..." really removes the utility from this answer.

        – Zach
        Feb 8 '18 at 18:52



















      • Thanks, you instructions worked after some tweaking of my openssl.conf file.

        – StackedCrooked
        Apr 1 '10 at 7:59






      • 3





        @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

        – quack quixote
        Apr 7 '10 at 19:08






      • 2





        Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

        – Iiridayn
        Jun 28 '17 at 20:28






      • 13





        "You may need to add some options..." really removes the utility from this answer.

        – Zach
        Feb 8 '18 at 18:52

















      Thanks, you instructions worked after some tweaking of my openssl.conf file.

      – StackedCrooked
      Apr 1 '10 at 7:59





      Thanks, you instructions worked after some tweaking of my openssl.conf file.

      – StackedCrooked
      Apr 1 '10 at 7:59




      3




      3





      @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

      – quack quixote
      Apr 7 '10 at 19:08





      @twk: note the question has one more step needed for a complete answer -- how to create another certificate that only depends on the certificate created in step 3, but not the root certificate.

      – quack quixote
      Apr 7 '10 at 19:08




      2




      2





      Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

      – Iiridayn
      Jun 28 '17 at 20:28





      Fails at last step with "unable to load CA private key"; I can get partway there by supplying the key and cert with openssl ca -in client.csr -out client.cer -cern ca.pem -keyfile ca.key, but it wants a demoCA directory and various accouterments.

      – Iiridayn
      Jun 28 '17 at 20:28




      13




      13





      "You may need to add some options..." really removes the utility from this answer.

      – Zach
      Feb 8 '18 at 18:52





      "You may need to add some options..." really removes the utility from this answer.

      – Zach
      Feb 8 '18 at 18:52













      11














      Once you have created your CA you could use it to sign thus :





      • Create a key :



        openssl genrsa -out key_A.key  1024



      • Create a csr :



        openssl req -new -key key_A.key -out csr_A.csr
        You are about to be asked to enter information etc....



      • Sign it :



        openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
        -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt


        and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key




      Your changing :



      basicConstraints=CA:TRUE  # prev value was FALSE


      means that the certificates you issue can be used to sign other certificates.






      share|improve this answer


























      • thx, very helpful

        – flotto
        Mar 27 '17 at 7:59






      • 1





        What .crt file?

        – MickyD
        Oct 1 '18 at 5:12
















      11














      Once you have created your CA you could use it to sign thus :





      • Create a key :



        openssl genrsa -out key_A.key  1024



      • Create a csr :



        openssl req -new -key key_A.key -out csr_A.csr
        You are about to be asked to enter information etc....



      • Sign it :



        openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
        -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt


        and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key




      Your changing :



      basicConstraints=CA:TRUE  # prev value was FALSE


      means that the certificates you issue can be used to sign other certificates.






      share|improve this answer


























      • thx, very helpful

        – flotto
        Mar 27 '17 at 7:59






      • 1





        What .crt file?

        – MickyD
        Oct 1 '18 at 5:12














      11












      11








      11







      Once you have created your CA you could use it to sign thus :





      • Create a key :



        openssl genrsa -out key_A.key  1024



      • Create a csr :



        openssl req -new -key key_A.key -out csr_A.csr
        You are about to be asked to enter information etc....



      • Sign it :



        openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
        -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt


        and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key




      Your changing :



      basicConstraints=CA:TRUE  # prev value was FALSE


      means that the certificates you issue can be used to sign other certificates.






      share|improve this answer















      Once you have created your CA you could use it to sign thus :





      • Create a key :



        openssl genrsa -out key_A.key  1024



      • Create a csr :



        openssl req -new -key key_A.key -out csr_A.csr
        You are about to be asked to enter information etc....



      • Sign it :



        openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
        -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt


        and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key




      Your changing :



      basicConstraints=CA:TRUE  # prev value was FALSE


      means that the certificates you issue can be used to sign other certificates.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Jun 24 '14 at 10:54

























      answered Apr 29 '12 at 17:54









      Mr_and_Mrs_DMr_and_Mrs_D

      4513826




      4513826













      • thx, very helpful

        – flotto
        Mar 27 '17 at 7:59






      • 1





        What .crt file?

        – MickyD
        Oct 1 '18 at 5:12



















      • thx, very helpful

        – flotto
        Mar 27 '17 at 7:59






      • 1





        What .crt file?

        – MickyD
        Oct 1 '18 at 5:12

















      thx, very helpful

      – flotto
      Mar 27 '17 at 7:59





      thx, very helpful

      – flotto
      Mar 27 '17 at 7:59




      1




      1





      What .crt file?

      – MickyD
      Oct 1 '18 at 5:12





      What .crt file?

      – MickyD
      Oct 1 '18 at 5:12











      7














      OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.



      Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.



      If I recall correctly, the syntax goes something like this:



      CA.pl -newca    # Create a new root CA  

      CA.pl -newreq # Create a new CSR

      CA.pl -sign # Sign a CSR, creating a cert

      CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine





      share|improve this answer



















      • 2





        This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

        – Colin M
        Jan 25 '17 at 22:00
















      7














      OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.



      Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.



      If I recall correctly, the syntax goes something like this:



      CA.pl -newca    # Create a new root CA  

      CA.pl -newreq # Create a new CSR

      CA.pl -sign # Sign a CSR, creating a cert

      CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine





      share|improve this answer



















      • 2





        This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

        – Colin M
        Jan 25 '17 at 22:00














      7












      7








      7







      OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.



      Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.



      If I recall correctly, the syntax goes something like this:



      CA.pl -newca    # Create a new root CA  

      CA.pl -newreq # Create a new CSR

      CA.pl -sign # Sign a CSR, creating a cert

      CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine





      share|improve this answer













      OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.



      Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.



      If I recall correctly, the syntax goes something like this:



      CA.pl -newca    # Create a new root CA  

      CA.pl -newreq # Create a new CSR

      CA.pl -sign # Sign a CSR, creating a cert

      CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine






      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Mar 31 '10 at 17:51









      SpiffSpiff

      78.2k10119163




      78.2k10119163








      • 2





        This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

        – Colin M
        Jan 25 '17 at 22:00














      • 2





        This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

        – Colin M
        Jan 25 '17 at 22:00








      2




      2





      This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

      – Colin M
      Jan 25 '17 at 22:00





      This was helpful. On Ubuntu 14.04 I found the file at /usr/lib/ssl/misc/CA.pl

      – Colin M
      Jan 25 '17 at 22:00











      0














      You can do that in one command:



      openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


      You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.



      The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.



      Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).



      Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).






      share|improve this answer




























        0














        You can do that in one command:



        openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


        You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.



        The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.



        Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).



        Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).






        share|improve this answer


























          0












          0








          0







          You can do that in one command:



          openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


          You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.



          The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.



          Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).



          Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).






          share|improve this answer













          You can do that in one command:



          openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365


          You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.



          The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.



          Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).



          Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 29 at 6:01









          vharronvharron

          1012




          1012























              -1














              I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server



              It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.



              Run using: bash make-root-ca-and-certificates.sh 'example.com'



              Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'



              make-root-ca-and-certificates.sh



              #!/bin/bash
              FQDN=$1

              # make directories to work from
              mkdir -p certs/{server,client,ca,tmp}

              # Create your very own Root Certificate Authority
              openssl genrsa
              -out certs/ca/my-root-ca.key.pem
              2048

              # Self-sign your Root Certificate Authority
              # Since this is private, the details can be as bogus as you like
              openssl req
              -x509
              -new
              -nodes
              -key certs/ca/my-root-ca.key.pem
              -days 1024
              -out certs/ca/my-root-ca.crt.pem
              -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

              # Create a Device Certificate for each domain,
              # such as example.com, *.example.com, awesome.example.com
              # NOTE: You MUST match CN to the domain name or ip address you want to use
              openssl genrsa
              -out certs/server/privkey.pem
              2048

              # Create a request from your Device, which your Root CA will sign
              openssl req -new
              -key certs/server/privkey.pem
              -out certs/tmp/csr.pem
              -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

              # Sign the request from Device with your Root CA
              # -CAserial certs/ca/my-root-ca.srl
              openssl x509
              -req -in certs/tmp/csr.pem
              -CA certs/ca/my-root-ca.crt.pem
              -CAkey certs/ca/my-root-ca.key.pem
              -CAcreateserial
              -out certs/server/cert.pem
              -days 500

              # Create a public key, for funzies
              # see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
              openssl rsa
              -in certs/server/privkey.pem
              -pubout -out certs/client/pubkey.pem

              # Put things in their proper place
              rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
              rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
              cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem





              share|improve this answer




























                -1














                I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server



                It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.



                Run using: bash make-root-ca-and-certificates.sh 'example.com'



                Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'



                make-root-ca-and-certificates.sh



                #!/bin/bash
                FQDN=$1

                # make directories to work from
                mkdir -p certs/{server,client,ca,tmp}

                # Create your very own Root Certificate Authority
                openssl genrsa
                -out certs/ca/my-root-ca.key.pem
                2048

                # Self-sign your Root Certificate Authority
                # Since this is private, the details can be as bogus as you like
                openssl req
                -x509
                -new
                -nodes
                -key certs/ca/my-root-ca.key.pem
                -days 1024
                -out certs/ca/my-root-ca.crt.pem
                -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

                # Create a Device Certificate for each domain,
                # such as example.com, *.example.com, awesome.example.com
                # NOTE: You MUST match CN to the domain name or ip address you want to use
                openssl genrsa
                -out certs/server/privkey.pem
                2048

                # Create a request from your Device, which your Root CA will sign
                openssl req -new
                -key certs/server/privkey.pem
                -out certs/tmp/csr.pem
                -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

                # Sign the request from Device with your Root CA
                # -CAserial certs/ca/my-root-ca.srl
                openssl x509
                -req -in certs/tmp/csr.pem
                -CA certs/ca/my-root-ca.crt.pem
                -CAkey certs/ca/my-root-ca.key.pem
                -CAcreateserial
                -out certs/server/cert.pem
                -days 500

                # Create a public key, for funzies
                # see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
                openssl rsa
                -in certs/server/privkey.pem
                -pubout -out certs/client/pubkey.pem

                # Put things in their proper place
                rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
                rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
                cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem





                share|improve this answer


























                  -1












                  -1








                  -1







                  I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server



                  It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.



                  Run using: bash make-root-ca-and-certificates.sh 'example.com'



                  Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'



                  make-root-ca-and-certificates.sh



                  #!/bin/bash
                  FQDN=$1

                  # make directories to work from
                  mkdir -p certs/{server,client,ca,tmp}

                  # Create your very own Root Certificate Authority
                  openssl genrsa
                  -out certs/ca/my-root-ca.key.pem
                  2048

                  # Self-sign your Root Certificate Authority
                  # Since this is private, the details can be as bogus as you like
                  openssl req
                  -x509
                  -new
                  -nodes
                  -key certs/ca/my-root-ca.key.pem
                  -days 1024
                  -out certs/ca/my-root-ca.crt.pem
                  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

                  # Create a Device Certificate for each domain,
                  # such as example.com, *.example.com, awesome.example.com
                  # NOTE: You MUST match CN to the domain name or ip address you want to use
                  openssl genrsa
                  -out certs/server/privkey.pem
                  2048

                  # Create a request from your Device, which your Root CA will sign
                  openssl req -new
                  -key certs/server/privkey.pem
                  -out certs/tmp/csr.pem
                  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

                  # Sign the request from Device with your Root CA
                  # -CAserial certs/ca/my-root-ca.srl
                  openssl x509
                  -req -in certs/tmp/csr.pem
                  -CA certs/ca/my-root-ca.crt.pem
                  -CAkey certs/ca/my-root-ca.key.pem
                  -CAcreateserial
                  -out certs/server/cert.pem
                  -days 500

                  # Create a public key, for funzies
                  # see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
                  openssl rsa
                  -in certs/server/privkey.pem
                  -pubout -out certs/client/pubkey.pem

                  # Put things in their proper place
                  rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
                  rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
                  cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem





                  share|improve this answer













                  I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server



                  It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.



                  Run using: bash make-root-ca-and-certificates.sh 'example.com'



                  Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'



                  make-root-ca-and-certificates.sh



                  #!/bin/bash
                  FQDN=$1

                  # make directories to work from
                  mkdir -p certs/{server,client,ca,tmp}

                  # Create your very own Root Certificate Authority
                  openssl genrsa
                  -out certs/ca/my-root-ca.key.pem
                  2048

                  # Self-sign your Root Certificate Authority
                  # Since this is private, the details can be as bogus as you like
                  openssl req
                  -x509
                  -new
                  -nodes
                  -key certs/ca/my-root-ca.key.pem
                  -days 1024
                  -out certs/ca/my-root-ca.crt.pem
                  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

                  # Create a Device Certificate for each domain,
                  # such as example.com, *.example.com, awesome.example.com
                  # NOTE: You MUST match CN to the domain name or ip address you want to use
                  openssl genrsa
                  -out certs/server/privkey.pem
                  2048

                  # Create a request from your Device, which your Root CA will sign
                  openssl req -new
                  -key certs/server/privkey.pem
                  -out certs/tmp/csr.pem
                  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

                  # Sign the request from Device with your Root CA
                  # -CAserial certs/ca/my-root-ca.srl
                  openssl x509
                  -req -in certs/tmp/csr.pem
                  -CA certs/ca/my-root-ca.crt.pem
                  -CAkey certs/ca/my-root-ca.key.pem
                  -CAcreateserial
                  -out certs/server/cert.pem
                  -days 500

                  # Create a public key, for funzies
                  # see https://gist.github.com/coolaj86/f6f36efce2821dfb046d
                  openssl rsa
                  -in certs/server/privkey.pem
                  -pubout -out certs/client/pubkey.pem

                  # Put things in their proper place
                  rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem
                  rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem
                  cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 6 '18 at 22:59









                  Ralph BisschopsRalph Bisschops

                  11




                  11






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f126121%2fhow-to-create-my-own-certificate-chain%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Сан-Квентин

                      8-я гвардейская общевойсковая армия

                      Алькесар