How to make an CA, Intermediate CA / Sub CA, and Server Certificate with OpenSSL command

- Keep RootCA.key and IntermediateCA.key securely.
- Upload RootCA.crt and IntermediateCA.crt to client's system or browser.
- Use IntermediateCA to sign server certificate needs (webserver, FTP server, mail server, etc)

This configuration just example, configure the certificate name, attribute according to your needs.

In this tutorial we use OpenSSL command but you can also use CA.pl script from OpenSSL.

1. Generate Root Certificate key.

openssl genrsa -out RootCA.key 4096

2. Generate Root certificate.

openssl req -new -x509 -days 1826 -key RootCA.key -out RootCA.crt



Generate Intermediate CA

Create a file subca.conf with the following contents:


1. Generate Intermediate CA certificate key

openssl genrsa -out IntermediateCA.key 4096




2. Generate Intermediate CA CSR.

openssl req -new -key IntermediateCA.key -out IntermediateCA.csr



3. Sign the Intermediate CA by the Root CA.

openssl x509 -extfile subca.conf -extensions v3_subca -req -days 1000 -in IntermediateCA.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out IntermediateCA.crt



And then generate server certificate (webserver, ftp server, mail server, etc)


1. Generate Server certificate key

openssl genrsa -out Server.key 2048


2- Create Server Cert CSR

Agar tidak ada warning mengenai cert invalid domain, maka perlu bikin subject alt name dengan konfig file berikut:


nano service.cnf 


[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = req_ext
req_extensions = req_ext
distinguished_name = dn



[ dn ]
C=ID
ST=JKT
L=JKT
O=ITNSA
OU=ITNSA
emailAddress=me@idnux.com
CN = *.idnux.com


[ req_ext ]
subjectAltName = @alt_names


[ alt_names ]
DNS.1 = www
DNS.2 = www.idnux.com


Konfig diatas bisa mencontoh di /etc/ssl/openssl.cnf atau man openssl


openssl req -new -key Server.key -out Server.csr -config service.cnf







3- Sign the Server cert CSR using IntermediateCA

openssl x509 -req -days 1000 -in Server.csr -CA IntermediateCA.crt -CAkey IntermediateCA.key -set_serial 0101  -out Server.crt -sha1


Verify



Send RootCA.crt and IntermediateCA.crt to client

Bundle RootCA.crt and IntermediateCA.crt into one file CA.crt with the following command:

cat IntermediateCA.crt > CA.crt
cat RootCA.crt >> CA.crt

Example SSL configuration on Apache2

   <VirtualHost 192.168.1.1:443>
    DocumentRoot /var/www/html
    ServerName www.yourdomain.com
        SSLEngine on
        SSLCertificateFile /path/to/your_server.crt
        SSLCertificateKeyFile /path/to/your_server.key
        SSLCertificateChainFile /path/to/IntermediateCA.crt

    </VirtualHost>


Komentar

Postingan populer dari blog ini

Pembahasan IT Network Systems Administration Module A DNS (Forward Zone, Reverse Zone, CNAME, MX, Split View)

Cara restart / stop windows service (services.msc) dengan bat / cmd

How to convert VMDK to OVA