Differences

This shows you the differences between two versions of the page.

--- ssl:generate-certificates-self-signed [2020/08/08 18:05] – odefta
+++ ssl:generate-certificates-self-signed [2020/08/08 18:45] – odefta
@@ Line 191: / Line 191: @@
 </code>
-Generate the intermediate CA:
+Generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int1.key -out int1.csr
+</code>
+Output:
+<code>
+Generating a RSA private key
+.............................+++++
+............................................+++++
+writing new private key to 'int1.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:RO
+State or Province Name (full name) [Some-State]:Romania
+Locality Name (eg, city) []:Bucharest
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:AX
+Organizational Unit Name (eg, section) []:AX INT1 CA
+Common Name (e.g. server FQDN or YOUR name) []:item-ax32034-INT1
+Email Address []:int1@ax.com
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+</code>
+Generate the actual intermediate CA:
 <code>
 openssl ca -config int1.conf -out int1.crt -infiles int1.csr
@@ Line 229: / Line 261: @@
 {{:ssl:pasted:20200808-180456.png}}
+====== Generate another intermediate CA ======
+Repeat the steps for the above configuration, but change the config file as:
+<file ini int2.conf>
+[ ca ]
+default_ca = default_CA
+[ default_CA ]
+dir = .
+certs = .
+new_certs_dir = ca.db.certs
+database = ca.db.index
+serial = ca.db.serial
+RANDFILE = random-bits
+certificate = int1.crt
+private_key = int1.key
+default_days = 500
+default_crl_days = 30
+default_md = sha256
+preserve = no
+x509_extensions = server_cert
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ server_cert ]
+#subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
+basicConstraints = critical,CA:true
+</file>
+Then generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr
+</code>
+Finally generate the certificate:
+<code>
+openssl ca -config int2.conf -out int2.crt -infiles int2.csr
+</code>
+Output:
+<code>
+Using configuration from int2.conf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'RO'
+stateOrProvinceName   :ASN.1 12:'Romania'
+localityName          :ASN.1 12:'Bucharest'
+organizationName      :ASN.1 12:'AX'
+organizationalUnitName:ASN.1 12:'AX INT2 CA'
+commonName            :ASN.1 12:'item-ax32034-INT2'
+emailAddress          :IA5STRING:'int2@ax.com'
+Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+Final CA certificate with 2 intermediate CA - int2.crt images:
+{{:ssl:pasted:20200808-184510.png}}
+{{:ssl:pasted:20200808-184522.png}}
+{{:ssl:pasted:20200808-184533.png}}