create certificate chain

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

create certificate chain

ashish2881
Hi ,
      I want to create a certificate chain ( self signed root ca cert+intermediate cert + server-cert).
Please let me know openssl commands and the configuration required to create root-ca ,intermediate cert signed by root-ca and server cert signed by intermediate cert .

Thanks
ashish2881
cisco systems
Reply | Threaded
Open this post in threaded view
|

Re: create certificate chain

Dirk-Willem van Gulik

On 4 mrt. 2013, at 08:47, ashish2881 <[hidden email]> wrote:

> Hi ,
>      I want to create a certificate chain ( self signed root ca
> cert+intermediate cert + server-cert).
> Please let me know openssl commands and the configuration required to create
> root-ca ,intermediate cert signed by root-ca and server cert signed by
> intermediate cert .

Try below.

Dw.

# SHA512 testcase -- all 3 layers.
#
LEN=${LEN:-2048}

# create a root.
 openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -subj /CN=DaRoot -newkey rsa:$LEN -sha512 || exit 1

# create an intermediate & sign
openssl req -new -nodes -out ca-int.req -keyout ca-int.key -subj /CN=Zintermediate -newkey rsa:$LEN -sha512 || exit 1
openssl x509 -req -in ca-int.req -CAkey ca.key -CA ca.crt -days 20 -set_serial $RANDOM -sha512 -out ca-int.crt || exit 1

# chain
#
cat ca.crt ca-int.crt > ca-all.crt

for who in alice bob charlie eve dave fred
do
        # create a request
        openssl req -new -out $who.req -keyout $who.key -nodes -newkey rsa:$LEN -subj /CN=$who/emailAddress=$[hidden email]  || exit 1

        # sign the request
        openssl x509 -req -in $who.req -CAkey ca-int.key -CA ca-int.crt -days 10 -set_serial $RANDOM -sha512 -out $who.crt || exit 1

        # create some convenience formats
        #
        openssl x509 -in $who.crt -out $who.der -outform DER || exit 1
        openssl pkcs12 -export -out $who.p12 -in $who.crt -inkey $who.key -chain -CAfile ca-all.crt -password pass:$PASS || exit 1
done


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: create certificate chain

ashish2881
In reply to this post by ashish2881
Hi Dirk ,
              Thanks for the reply .
These commands worked for me .
I have created a single key and and used it for ca-cert ,intermediate-cert and server/client cert .
otherwise ,we can use separate keys and commands are like this :

openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl x509  -in  ca.crt -out ca.pem
openssl genrsa -des3 -out ca-int_encrypted.key 1024
openssl rsa -in ca-int_encrypted.key -out ca-int.key
openssl req -new -key ca-int.key -out ca-int.csr -subj "/CN=ca-int@acme.com"
openssl x509 -req -days 3650 -in ca-int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ca-int.crt

openssl genrsa -des3 -out server_encrypted.key 1024
openssl rsa -in server_encrypted.key -out server.key
openssl req -new -key server.key -out server.csr -subj "/CN=server@acme.com"
openssl x509 -req -days 3650 -in server.csr -CA ca-int.crt -CAkey ca-int.key -set_serial 01 -out server.crt
Reply | Threaded
Open this post in threaded view
|

openssl verify failure: Re: create certificate chain

sherry
In reply to this post by Dirk-Willem van Gulik

Hi Dirk,

Thanks for your post. You seems to be so knowledgeable!  I tried your commands, but I am not able to verify with "openssl verify". Could you please help? Following is the command sequence:


root@dev12042:~/cert# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
............++++++
e is 65537 (0x10001)
root@dev12042:~/cert# openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj /CN=MyRoot


root@dev12042:~/cert# openssl genrsa -out ca-int.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
..............++++++
e is 65537 (0x10001)
root@dev12042:~/cert# openssl req -new -key ca-int.key -out ca-int.csr -subj /CN=intermediate
root@dev12042:~/cert# openssl x509 -req -days 3650 -in ca-int.csr -CA ca.crt -CAkey ca.key -out ca-int.crt -set_serial 01
Signature ok
subject=/CN=intermediate
Getting CA Private Key

root@dev12042:~/cert# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
.........++++++
e is 65537 (0x10001)
root@dev12042:~/cert# openssl req -new -key server.key -out server.csr -subj /CN=server
root@dev12042:~/cert# openssl x509 -req -in server.csr -CA ca-int.crt -CAkey ca-int.key -out server.crt -set_serial 01
Signature ok
subject=/CN=server
Getting CA Private Key

root@dev12042:~/cert# openssl verify -CAfile ca.crt ca-int.crt server.crt
ca-int.crt: OK
server.crt: CN = server
error 20 at 0 depth lookup:unable to get local issuer certificate

Thanks so much!
Sherry
Reply | Threaded
Open this post in threaded view
|

Re: openssl verify failure: Re: create certificate chain

ashish2881
This post has NOT been accepted by the mailing list yet.
Hi Sherry ,
                 You need to put your cert in the trusted store of openssl ..check the config of openssl
Reply | Threaded
Open this post in threaded view
|

RE: openssl verify failure: Re: create certificate chain

Dave Thompson-5
In reply to this post by sherry
> From: [hidden email] On Behalf Of sherry
> Sent: Friday, 16 August, 2013 20:09

> Hi Dirk,
>
(This is an open list, so I'll answer.)

<snip: genrsa and req -new -x509 for ca,
genrsa and req -new and x509 -req for ca-int,
genrsa and req -new and x509 -req for server>

Aside: I hope you know RSA 1024 is now considered
under some threat (though not actually broken),
and not safe for a projected 10-year lifetime.

> root@dev12042:~/cert# openssl verify -CAfile ca.crt
> ca-int.crt server.crt
> ca-int.crt: OK
> server.crt: CN = server
> error 20 at 0 depth lookup:unable to get local issuer certificate

'verify' validates each cert, individually, against only
the specified or defaulted truststore. Your server.crt
chains via ca-int.crt not directly to your ca.crt. Either:

- concatenate ca.crt and ca-int.crt (and others if you like)
into one file and use that for -CAfile.

- put both ca.crt and ca-int.crt (and others if you like)
in a directory with hash links or names and use for -CApath.

- for this command only, add ca-int to the chain:
  openssl verify -CAfile ca.crt -untrusted ca-int.crt server.crt


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]