Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / SSL Certificates / Creating an SSL Server CA

Personal tools

SSL Certificates

How you can easily create and manage SSL certificates

Creating an SSL Server CA

We'll create a CA for just SSL server certificate, ie. it's not self-signed (we'll be signing it with our CA). We do this because we can!

CSR

An SSL Server CA will be similar to the CA only we want to do two things:

  1. restrict it to just being an SSL Server CA
  2. sign it with the CA

In fact both actions are performed at the same time.

The configuration for the SSL Server CA is virtually identical bar changing the Common Name (or CN) attribute to something more appropriate, say, Example Limited SSL Server CA:

openssl genrsa -out ssl-server-ca.key
openssl req -new -sha256 -key ssl-server-ca.key -out ssl-server-ca.req -config ssl-server-ca.cfg

Note that we are only creating a Certificate Request so we've dropped the -x509 argument and made the output file extension .req (file extensions have no meaning for OpenSSL but it does help keep track of what's going on).

Signing

Next we need to sign the certificate and set its attributes.

Note

A feature in OpenSSL means that the extensions put into the SSL Server CA's request are lost on transfer to a certificate so we have to redefine them. I guess the idea is that the singer (issuer) decides what the certificate is valid for and therefore has to (re-)define the valid attributes.

Defining these attributes in a named section allows us to use this file for other signing purposes:

[ ssl_server_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
#basicConstraints = critical,CA:true
basicConstraints = CA:true
keyUsage = keyCertSign

We repeat the basicConstraints attribute to make the certificate a CA and add the keyUsage attribute where the value keyCertSign reduces the scope of the CA to just being an SSL Server CA.

However, before we do we sign anything we need to setup a serial number file for the Root CA so that every certificate it signs can have a unique serial number. The serial number file is a simple text file with an ASCII number in it:

echo 00 > root-ca.srl

although you could pass the -CAcreateserial flag as an alternative.

The next command will take the SSL Server CA's signing request and sign it with the Root CA's private key:

openssl x509 -req -sha256 -in ssl-server-ca.req -out ssl-server-ca.crt -extfile root-ca-sign.cfg -extensions ssl_server_ca -CA root-ca.crt -CAkey root-ca.key -CAserial root-ca.srl

The -extfile root-ca-sign.cfg -extensions ssl_server_ca arguments are taking the attributes for the certificate from the ssl_server_ca section of the file root-ca-sign.cfg (our example above).

Checking

Check the certificate:

openssl x509 -noout -in ssl-server-ca.crt -text -purpose

Note here that the Issuer is the Root CA and that the certificate has had its full CA purpose restricted to, amongst others, an SSL Server CA.

SHA256

Again, check your certificate reports:

Signature Algorithm: sha256WithRSAEncryption

Document Actions