How to make an CA, Intermediate CA / Sub CA, and Server Certificate with OpenSSL command
- Keep RootCA.key and IntermediateCA.key securely.
- Upload RootCA.crt and IntermediateCA.crt to client's system or browser.
- Use IntermediateCA to sign server certificate needs (webserver, FTP server, mail server, etc)
This configuration just example, configure the certificate name, attribute according to your needs.
In this tutorial we use OpenSSL command but you can also use CA.pl script from OpenSSL.
1. Generate Root Certificate key.
openssl genrsa -out RootCA.key 4096
2. Generate Root certificate.
openssl req -new -x509 -days 1826 -key RootCA.key -out RootCA.crt
Generate Intermediate CA
Create a file subca.conf with the following contents:
1. Generate Intermediate CA certificate key
openssl genrsa -out IntermediateCA.key 4096
2. Generate Intermediate CA CSR.
openssl req -new -key IntermediateCA.key -out IntermediateCA.csr
3. Sign the Intermediate CA by the Root CA.
openssl x509 -extfile subca.conf -extensions v3_subca -req -days 1000 -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntermediateCA.crt
And then generate server certificate (webserver, ftp server, mail server, etc)
1. Generate Server certificate key
openssl genrsa -out Server.key 2048
2- Create Server Cert CSR
openssl req -new -key Server.key -out Server.csr -config service.cnf
3- Sign the Server cert CSR using IntermediateCA
openssl x509 -req -days 1000 -in Server.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 0101 -out Server.crt -sha1
Verify
Send RootCA.crt and IntermediateCA.crt to client
Bundle RootCA.crt and IntermediateCA.crt into one file CA.crt with the following command:
cat IntermediateCA.crt > CA.crt
cat RootCA.crt >> CA.crt
Example SSL configuration on Apache2
<VirtualHost 192.168.1.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_server.crt
SSLCertificateKeyFile /path/to/your_server.key
SSLCertificateChainFile /path/to/IntermediateCA.crt
</VirtualHost>
- Upload RootCA.crt and IntermediateCA.crt to client's system or browser.
- Use IntermediateCA to sign server certificate needs (webserver, FTP server, mail server, etc)
This configuration just example, configure the certificate name, attribute according to your needs.
In this tutorial we use OpenSSL command but you can also use CA.pl script from OpenSSL.
1. Generate Root Certificate key.
openssl genrsa -out RootCA.key 4096
2. Generate Root certificate.
openssl req -new -x509 -days 1826 -key RootCA.key -out RootCA.crt
Generate Intermediate CA
Create a file subca.conf with the following contents:
1. Generate Intermediate CA certificate key
openssl genrsa -out IntermediateCA.key 4096
2. Generate Intermediate CA CSR.
openssl req -new -key IntermediateCA.key -out IntermediateCA.csr
3. Sign the Intermediate CA by the Root CA.
openssl x509 -extfile subca.conf -extensions v3_subca -req -days 1000 -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntermediateCA.crt
And then generate server certificate (webserver, ftp server, mail server, etc)
openssl genrsa -out Server.key 2048
2- Create Server Cert CSR
Agar tidak ada warning mengenai cert invalid domain, maka perlu bikin subject alt name dengan konfig file berikut:
nano service.cnf
[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=ID
ST=JKT
L=JKT
O=ITNSA
OU=ITNSA
emailAddress=me@idnux.com
CN = *.idnux.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www
DNS.2 = www.idnux.com
Konfig diatas bisa mencontoh di /etc/ssl/openssl.cnf atau man openssl
openssl req -new -key Server.key -out Server.csr -config service.cnf
3- Sign the Server cert CSR using IntermediateCA
openssl x509 -req -days 1000 -in Server.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 0101 -out Server.crt -sha1
Verify
Send RootCA.crt and IntermediateCA.crt to client
Bundle RootCA.crt and IntermediateCA.crt into one file CA.crt with the following command:
cat IntermediateCA.crt > CA.crt
cat RootCA.crt >> CA.crt
Example SSL configuration on Apache2
<VirtualHost 192.168.1.1:443>
DocumentRoot /var/www/html
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_server.crt
SSLCertificateKeyFile /path/to/your_server.key
SSLCertificateChainFile /path/to/IntermediateCA.crt
</VirtualHost>
Komentar