Building an OpenSSL Certificate Authority - Creating Your Root Certificate
Hi Chase,
Thanks very much for excellent and detailed lessons on how to create Root CA and Intermediate Certificates. You've covered all the revelant variables in each scenario, of which I still coudn't find after extensive searches from other websites.
The Root CA lesson was easy to follow.
However, the Intermediate Certificate lesson was a bit curly to follow, as detailed below:
1. Uncertain whether to use "[CA]" and "[CA_default]" sections OR "[int_ca]", but I used the former sections and they work:
"/root/ca/intermediate/openssl_intermediate.cnf
and modify the contents for your own naming conventions. Similar to the
root_ca.cnf
, the
[CA]
is required and will gather it's configuration from the
[CA_default]
section. Changes to the
[int_ca]
include:
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
private_key = $dir/private/int.cheese.key.pem
certificate = $dir/cers/int.cheese.crt.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/int.cheese.crl.pem
crl_extensions = crl_ext
policy = policy_loose
We have new certificate names for our intermediary use and define
policy_loose"
2. v3_intermediate_ca:
Does not matched with Root CA.
Output: [root@ca ca]# openssl ca -config ca.cnf -extensions v3_intermediate_ca -days 256 -md sha384 -in intermediate/csr/int.sansui.csr -out intermediate/certs/int.sansui.crt.pem
Using configuration from ca.cnf
Enter pass phrase for /root/ca/private/ca.sansui.key.pem:
Error Loading extension section v3_intermediate_ca
140437868918672:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/root/ca/index.txt.attr','rb')
140437868918672:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
140437868918672:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:
140437868918672:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=CA_default name=email_in
3. Missing Distinguished Name in "intermediate.cnf" file:
Output:
[root@ca ca]# openssl req -config intermediate/intermediate.cnf -new -newkey ec:<(openssl ecparam -name secp384r1) -keyout intermediate/private/int.sansui.key.pem -out intermediate/csr/int.sansui.csr
Generating a 384 bit EC private key
writing new private key to 'intermediate/private/int.sansui.key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
140128708568976:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=req name=distinguished_name
I got it working with some minor changes.
Can you please clarify where do I put the following certificates:
Chain
Intermediate
Can you please explain the next Step with regards to the End Entity Certifate, ie which Certificate is used to sign it or what do I need to do with it to complete the chain of trust, etc..?
Regards
Phuc Le