In the last post
we have learned how to generate Private Key, CSR and a Self-Signed Certificate cert file. In this post we will go one step further and create
a child certificate and signed it from root authority (which in this case is mycertificate.crt
, created in last post
)
Lets start creating the child certificate and then sign it for Self-Signed Root CA.
Generate a private key.
Run this command to generate private key:
openssl genrsa -out childcertificate.key 4096
Create a certificate signing request (CSR)
The CSR contains the common name and some other information. Here is the command you need to create CSR.
openssl req -sha256 -new -key childcertificate.key -out childcertificate.csr
After entering this command, you will be asked series of questions.
Here is the short description of questions.
-
Country Name (2 letter code): The two-letter country code where the company is legally located.
-
State or Province Name (full name): The state/province where the company is located.
-
Locality Name (e.g., city): The city where the company is located.
-
Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
-
Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
-
Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
-
Email Address: Your email address. (To leave it blank; simply press Enter.)
-
A challenge password: You password. (To leave it blank; simply press Enter).
-
An optional company name: Optional Company Name (To leave it blank; simply press Enter).
Your answers to these questions will be embedded in the CSR.
From the above command, it will store the CSR information in childcertificate.csr
file.
Generate a child certificate (crt file) and Sign with Root CA.
Run this command to create certificate(.crt) file from CSR, and also sign with Root CA by providing the root certificate's crt
and key
files.
openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt
-CAkey mycertificate.key -set_serial 01 -out childcertificate.crt
In this command:
mycertificate.crt
and mycertificate.key
represents the Root CA being used to sign the child certificate.
childcertificate.crt
is the target file we want to generate from childcertificate.csr
file.
Extract Public Key
If you want to extract the public key, you can use this command:
openssl rsa -in childcertificate.key -pubout > childcertificate.pub
It will generate the public key in childcertificate.pub
file.
Generate PFX(or PKCS#12) file for the certificate.
The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file.
PFX files are usually found with the extensions .pfx and .p12
openssl pkcs12 -export -out childcertificate.pfx -inkey childcertificate.key
-in childcertificate.cer
References:
Related Post(s):