Building an OpenSSL Certificate Authority - Creating Your Intermediary Certificate
Creating Your Intermediary Certificate Authority
Previously we created the first part of our OpenSSL CA by building our root certificate. We are now ready to complete our CA chain by creating and s...
Updated Jun 06, 2023
Version 3.0
Chase_Abbott
Employee
Employee
privatenet7
Nimbostratus
NimbostratusHi Chase,
Thanks very much for excellent and detailed lessons on how to create Root CA and Intermediate Certificates. You've covered all the revelant variables in each scenario, of which I still coudn't find after extensive searches from other websites. .
The Root CA lesson was easy to follow.
However, the Intermediate Certificate lesson was a bit curly to follow, as detailed below:
1. Uncertain whether to use "[CA]" and "[CA_default]" sections OR "[int_ca]", but I used the former sections and they work:
"/root/ca/intermediate/openssl_intermediate.cnf
and modify the contents for your own naming conventions. Similar to the
root_ca.cnf
, the
[CA]
is required and will gather it's configuration from the
[CA_default]
section. Changes to the
[int_ca]
include:
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
private_key = $dir/private/int.cheese.key.pem
certificate = $dir/cers/int.cheese.crt.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/int.cheese.crl.pem
crl_extensions = crl_ext
policy = policy_loose
We have new certificate names for our intermediary use and define
policy_loose"
2. v3_intermediate_ca:
Does not matched with Root CA.
Output: [root@ca ca]# openssl ca -config ca.cnf -extensions v3_intermediate_ca -days 256 -md sha384 -in intermediate/csr/int.sansui.csr -out intermediate/certs/int.sansui.crt.pem
Using configuration from ca.cnf
Enter pass phrase for /root/ca/private/ca.sansui.key.pem:
Error Loading extension section v3_intermediate_ca
140437868918672:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/root/ca/index.txt.attr','rb')
140437868918672:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140437868918672:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
140437868918672:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in
3. Missing Distinguished Name in "intermediate.cnf" file:
Output:
[root@ca ca]# openssl req -config intermediate/intermediate.cnf -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout intermediate/private/int.sansui.key.pem -out intermediate/csr/int.sansui.csr
Generating a 384 bit EC private key
writing new private key to 'intermediate/private/int.sansui.key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
140128708568976:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=req name=distinguished_name
I got it working with some minor changes.
Can you please confirm do I use the Root CA or the Intermediate Certificate to sign the End Enity? If using the Intermediate Certificate, can you please provide the command syntax?