How to create my own certificate chain?
You can use OpenSSL directly.
Create a Certificate Authority private key (this is your most important key):
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Create your CA self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)
Once you have created your CA, you can use it to sign certs:
- Create a key:
openssl genrsa -out key_A.key 1024
- Create a CSR:
openssl req -new -key key_A.key -out csr_A.csr # You are about to be asked to enter information etc....
- Sign it:
And so on, replacing A with B,openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt \ -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
CA_certificate_you_created.crt
withcrt_A.crt
, andCA_key_you_created.key
withkey_A.key
Changing the below means that the certificates you issue can be used to sign other certificates:
basicConstraints=CA:TRUE # prev value was FALSE
OpenSSL comes with a Perl script CA.pl
to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.
Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.
If I recall correctly, the syntax goes something like this:
CA.pl -newca # Create a new root CA
CA.pl -newreq # Create a new CSR
CA.pl -sign # Sign a CSR, creating a cert
CA.pl -pkcs12 # Turn an issued cert, plus its matching private key and trust chain,
# into a .p12 file you can install on another machine