Differences

This shows you the differences between two versions of the page.

--- ssl:generate-certificates-self-signed [2020/08/08 18:16] – odefta
+++ ssl:generate-certificates-self-signed [2020/08/08 18:45] – odefta
@@ Line 190: / Line 190: @@
 type NUL > ca.db.index
 </code>
-Generate the intermediate CA:
 Generate the private key and csr:
@@ Line 226: / Line 224: @@
 </code>
-Generate the actual certificate:
+Generate the actual intermediate CA:
 <code>
 openssl ca -config int1.conf -out int1.crt -infiles int1.csr
@@ Line 263: / Line 261: @@
 {{:ssl:pasted:20200808-180456.png}}
+====== Generate another intermediate CA ======
+Repeat the steps for the above configuration, but change the config file as:
+<file ini int2.conf>
+[ ca ]
+default_ca = default_CA
+[ default_CA ]
+dir = .
+certs = .
+new_certs_dir = ca.db.certs
+database = ca.db.index
+serial = ca.db.serial
+RANDFILE = random-bits
+certificate = int1.crt
+private_key = int1.key
+default_days = 500
+default_crl_days = 30
+default_md = sha256
+preserve = no
+x509_extensions = server_cert
+policy = policy_anything
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+[ server_cert ]
+#subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+extendedKeyUsage = serverAuth,clientAuth,msSGC,nsSGC
+basicConstraints = critical,CA:true
+</file>
+Then generate the private key and csr:
+<code>
+openssl req -new -newkey rsa:2048 -nodes -keyout int2.key -out int2.csr
+</code>
+Finally generate the certificate:
+<code>
+openssl ca -config int2.conf -out int2.crt -infiles int2.csr
+</code>
+Output:
+<code>
+Using configuration from int2.conf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'RO'
+stateOrProvinceName   :ASN.1 12:'Romania'
+localityName          :ASN.1 12:'Bucharest'
+organizationName      :ASN.1 12:'AX'
+organizationalUnitName:ASN.1 12:'AX INT2 CA'
+commonName            :ASN.1 12:'item-ax32034-INT2'
+emailAddress          :IA5STRING:'int2@ax.com'
+Certificate is to be certified until Dec 21 15:39:26 2021 GMT (500 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+Final CA certificate with 2 intermediate CA - int2.crt images:
+{{:ssl:pasted:20200808-184510.png}}
+{{:ssl:pasted:20200808-184522.png}}
+{{:ssl:pasted:20200808-184533.png}}