Bdtyktl

I would like to setup my own OCSP Responder (just for testing purposes). This requires me to have a root certificate and a few certificates generated from it.

I've managed to create a self-signed certificate using openssl. I want to use it as the root certificate. The next step would be to create the derived certificates. I can't seem to find the documentation on how to do this however. Does anyone know where I can find this information?

Edit

In retrospect, my question is not yet completely answered. To clarify the problem I'll represent my certificate chain like this:

ROOT -> A -> B -> C -> ...

I am currently able to create the ROOT and A certificates, but I haven't found out how to make a longer chain.

My command for creating the root certificate is:

openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key

openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

Certificate A is created like this:

openssl genrsa -out client.key 1024

openssl req -new -key client.key -out client.csr

openssl ca -in client.csr -out client.cer

This command implicitly depends on the root certificate, for which it finds the required info in the openssl configuration file.

Certificate B however must only rely on A, which is not registered in the config file, so the previous command won't work here.

What command line should I use to create certificates B and beyond?

Edit

I found the answer in this article. Certificate B (chain A -> B) can be created with these two commands:

# Create a certificate request

openssl req -new -keyout B.key -out B.request -days 365



# Create and sign the certificate

openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request

I also changed the openssl.cnf file:

[ usr_cert ]

basicConstraints=CA:TRUE # prev value was FALSE

This approach seems to be working well.

You can use OpenSSL directly.

1. 
   

   Create a Certificate Authority private key (this is your most important key):

   
   
   

   openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
   
   

   
   


2. 
   

   Create your CA self-signed certificate:

   
   
   

   openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
   
   

   
   


3. 
   

   Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:

   
   
   

   openssl genrsa -out client.key 1024
   
   openssl req -new -key client.key -out client.csr
   
   openssl ca -in client.csr -out client.cer
   
   

   
   

(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)

Once you have created your CA you could use it to sign thus :

• 
  

  Create a key :

  
  
  

  openssl genrsa -out key_A.key  1024
  
  

  
  


• 
  

  Create a csr :

  
  
  

  openssl req -new -key key_A.key -out csr_A.csr
  
  You are about to be asked to enter information etc....
  
  

  
  


• 
  

  Sign it :

  
  
  

  openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt 
  
  -CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt
  
  

  
  
  

  and so on replacing *_A with *_B and CA_certificate_you_created.crt with crt_A.crt and CA_key_you_created.key with key_A.key

  
  

Your changing :

basicConstraints=CA:TRUE  # prev value was FALSE

means that the certificates you issue can be used to sign other certificates.

OpenSSL comes with a Perl script "CA.pl" to help you create a self-signed root CA cert, along with the matching private key, plus a few simple files and directories to help keep track of any future certs you sign (a.k.a. issue) with that root CA. It also helps you generate other key pairs and certificate signing requests (CSRs) and helps you process those CSRs (that is, issue certs for them), and more.

Note that many products require CA certs to contain a certain attribute marking them as CA certs, or they won't be accepted as valid signers/issuers of other certs. If the self-signed cert you created does not contain that attribute, you might have trouble getting other software to treat it like a valid root CA cert.

If I recall correctly, the syntax goes something like this:

CA.pl -newca    # Create a new root CA  



CA.pl -newreq   # Create a new CSR



CA.pl -sign     # Sign a CSR, creating a cert  



CA.pl -pkcs12   # Turn an issued cert, plus its matching private key and trust chain, into a .p12 file you can install on another machine    

You can do that in one command:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

You can also add -nodes (short for no DES) if you don't want to protect your private key with a passphrase. Otherwise it will prompt you for "at least a 4 character" password.

The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like "Country Name", but you can just hit Enter and accept the defaults.

Add -subj '/CN=localhost' to suppress questions about the contents of the certificate (replace localhost with your desired domain).

Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you want your certificate to be accepted by browsers without your certificate chain installed, you should use a certificate signed by a certificate authority (CA).

I found this post: https://stackoverflow.com/questions/19665863/how-do-i-use-a-self-signed-certificate-for-a-https-node-js-server

It is for Node.JS but script in this GitHub repo uses openSLL commands to create a root CA cert and Domain cert.

Run using: bash make-root-ca-and-certificates.sh 'example.com'

Or for localhost using: bash make-root-ca-and-certificates.sh 'localhost'

make-root-ca-and-certificates.sh

#!/bin/bash

FQDN=$1



# make directories to work from

mkdir -p certs/{server,client,ca,tmp}



# Create your very own Root Certificate Authority

openssl genrsa 

  -out certs/ca/my-root-ca.key.pem 

  2048



# Self-sign your Root Certificate Authority

# Since this is private, the details can be as bogus as you like

openssl req 

  -x509 

  -new 

  -nodes 

  -key certs/ca/my-root-ca.key.pem 

  -days 1024 

  -out certs/ca/my-root-ca.crt.pem 

  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"



# Create a Device Certificate for each domain,

# such as example.com, *.example.com, awesome.example.com

# NOTE: You MUST match CN to the domain name or ip address you want to use

openssl genrsa 

  -out certs/server/privkey.pem 

  2048



# Create a request from your Device, which your Root CA will sign

openssl req -new 

  -key certs/server/privkey.pem 

  -out certs/tmp/csr.pem 

  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"



# Sign the request from Device with your Root CA

# -CAserial certs/ca/my-root-ca.srl

openssl x509 

  -req -in certs/tmp/csr.pem 

  -CA certs/ca/my-root-ca.crt.pem 

  -CAkey certs/ca/my-root-ca.key.pem 

  -CAcreateserial 

  -out certs/server/cert.pem 

  -days 500



# Create a public key, for funzies

# see https://gist.github.com/coolaj86/f6f36efce2821dfb046d

openssl rsa 

  -in certs/server/privkey.pem 

  -pubout -out certs/client/pubkey.pem



# Put things in their proper place

rsync -a certs/ca/my-root-ca.crt.pem certs/server/chain.pem

rsync -a certs/ca/my-root-ca.crt.pem certs/client/chain.pem

cat certs/server/cert.pem certs/server/chain.pem > certs/server/fullchain.pem