SSL Certificates
Creating an SSL Server CA
We'll create a CA for just SSL server certificate, ie. it's not self-signed (we'll be signing it with our CA). We do this because we can!
CSR
An SSL Server CA will be similar to the CA only we want to do two things:
- restrict it to just being an SSL Server CA
- sign it with the CA
In fact both actions are performed at the same time.
The configuration for the SSL Server CA is virtually identical bar changing the Common Name (or CN) attribute to something more appropriate, say, Example Limited SSL Server CA:
openssl genrsa -out ssl-server-ca.key openssl req -new -sha256 -key ssl-server-ca.key -out ssl-server-ca.req -config ssl-server-ca.cfg
Note that we are only creating a Certificate Request so we've dropped the -x509 argument and made the output file extension .req (file extensions have no meaning for OpenSSL but it does help keep track of what's going on).
Signing
Next we need to sign the certificate and set its attributes.
Note
A feature in OpenSSL means that the extensions put into the SSL Server CA's request are lost on transfer to a certificate so we have to redefine them. I guess the idea is that the singer (issuer) decides what the certificate is valid for and therefore has to (re-)define the valid attributes.
Defining these attributes in a named section allows us to use this file for other signing purposes:
[ ssl_server_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always #basicConstraints = critical,CA:true basicConstraints = CA:true keyUsage = keyCertSign
We repeat the basicConstraints attribute to make the certificate a CA and add the keyUsage attribute where the value keyCertSign reduces the scope of the CA to just being an SSL Server CA.
However, before we do we sign anything we need to setup a serial number file for the Root CA so that every certificate it signs can have a unique serial number. The serial number file is a simple text file with an ASCII number in it:
echo 00 > root-ca.srl
although you could pass the -CAcreateserial flag as an alternative.
The next command will take the SSL Server CA's signing request and sign it with the Root CA's private key:
openssl x509 -req -sha256 -in ssl-server-ca.req -out ssl-server-ca.crt -extfile root-ca-sign.cfg -extensions ssl_server_ca -CA root-ca.crt -CAkey root-ca.key -CAserial root-ca.srl
The -extfile root-ca-sign.cfg -extensions ssl_server_ca arguments are taking the attributes for the certificate from the ssl_server_ca section of the file root-ca-sign.cfg (our example above).
Checking
Check the certificate:
openssl x509 -noout -in ssl-server-ca.crt -text -purpose
Note here that the Issuer is the Root CA and that the certificate has had its full CA purpose restricted to, amongst others, an SSL Server CA.
SHA256
Again, check your certificate reports:
Signature Algorithm: sha256WithRSAEncryption
Document Actions