Search This Blog

October 17, 2020

OpenSSL - Sign Child Certificate with Self-Signed Root CA

In the last post we have learned how to generate Private Key, CSR and a Self-Signed Certificate cert file. In this post we will go one step further and create a child certificate and signed it from root authority (which in this case is mycertificate.crt, created in last post)

Lets start creating the child certificate and then sign it for Self-Signed Root CA.

Generate a private key.

Run this command to generate private key: 

openssl genrsa -out childcertificate.key 4096

Create a certificate signing request (CSR)

The CSR contains the common name and some other information. Here is the command you need to create CSR. 

openssl req -sha256 -new -key childcertificate.key -out childcertificate.csr

After entering this command, you will be asked series of questions.

Here is the short description of questions.

  • Country Name (2 letter code): The two-letter country code where the company is legally located.
  • State or Province Name (full name): The state/province where the company is located.
  • Locality Name (e.g., city): The city where the company is located.
  • Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
  • Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
  • Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
  • Email Address: Your email address. (To leave it blank; simply press Enter.)
  • A challenge password: You password. (To leave it blank; simply press Enter).
  • An optional company name: Optional Company Name (To leave it blank; simply press Enter).

Your answers to these questions will be embedded in the CSR.

From the above command, it will store the CSR information in childcertificate.csr file.

Generate a child certificate (crt file) and Sign with Root CA.

Run this command to create certificate(.crt) file from CSR, and also sign with Root CA by providing the root certificate's crt and key files. 

openssl x509 -req -days 365 -in childcertificate.csr -CA mycertificate.crt 
        -CAkey mycertificate.key -set_serial 01 -out childcertificate.crt

In this command:

  • mycertificate.crt and mycertificate.key represents the Root CA being used to sign the child certificate.
  • childcertificate.crt is the target file we want to generate from childcertificate.csr file.

Extract Public Key

If you want to extract the public key, you can use this command: 

openssl rsa -in childcertificate.key -pubout > childcertificate.pub

It will generate the public key in childcertificate.pub file.

Generate PFX(or PKCS#12) file for the certificate.

The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12 

openssl pkcs12 -export -out childcertificate.pfx -inkey childcertificate.key 
        -in childcertificate.cer

References:

Related Post(s):

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)