Siva
Siva Author of Technology Medium, He loves sharing his knowledge through Technology articles. He is working in DevOps & SRE Domain.

How to create a root, intermediate and self-signed certificate

How to create a root, intermediate and self-signed certificate

A self-signed certificate is a certificate, which is not provided by trusted CA authorities like DigiCert. In some cases, it makes sense to use a Self-signed certificate like a dev environment or for intranet websites. The self-signed certificate is used for a web application like apache, nginx, etc, to make it run on HTTPS Service.

Prerequisites

  • Openssl
  • Keytool

Step 1: Create Root Certs

Create the folder structure

Run below commands to create a folder structure to create root certs.

1
2
3
4
5
6
 mkdir /root/ca
 cd /root/ca
 mkdir certs crl newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial

Create Root CA configuration file

Download or copy Root CA configuration file content and save as openssl.cnf in /root/ca folder.

Create Root Key

Run below commands to create ca.key.pem root key file and change the permission of the file.

1
2
3
4
5
6
7
 cd /root/ca
 openssl genrsa -aes256 -out private/ca.key.pem 4096

 Enter pass phrase for ca.key.pem: secretpassword
 Verifying - Enter pass phrase for ca.key.pem: secretpassword

 chmod 400 private/ca.key.pem

Create Root Certificates

Run below commands to create ca.cert.pem file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 cd /root/ca
 openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem

 Enter pass phrase for ca.key.pem: secretpassword
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 -----
 Country Name (2 letter code) [XX]:GB
 State or Province Name []:England
 Locality Name []:
 Organization Name []:Alice Ltd
 Organizational Unit Name []:Alice Ltd Certificate Authority
 Common Name []:Alice Ltd Root CA
 Email Address []:

 chmod 444 certs/ca.cert.pem

Verify the root certificate

1
 openssl x509 -noout -text -in certs/ca.cert.pem

Step 2: Create Intermediate Certs

Create the folder structure

Run below commands to create a folder structure for the intermediate certificate.

1
2
3
4
5
6
7
 mkdir /root/ca/intermediate
 cd /root/ca/intermediate
 mkdir certs crl csr newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial
 echo 1000 > /root/ca/intermediate/crlnumber

Create Intermediate CA configuration file

Download or copy Intermediate configuration file content and save as openssl.cnf in /root/ca/intermediate folder.

Create Intermediate Key

Run below command to create intermediate.key.pem file.

1
2
3
4
5
6
7
8
 cd /root/ca
 openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096

 Enter pass phrase for intermediate.key.pem: secretpassword
 Verifying - Enter pass phrase for intermediate.key.pem: secretpassword

 chmod 400 intermediate/private/intermediate.key.pem

Create Intermediate Certificate

Run below commands to create intermediate certificate request file i.e,intermediate.csr.pem and intermediate certificate file i.e, intermediate.cert.pem.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 cd /root/ca
 openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

 Enter pass phrase for intermediate.key.pem: secretpassword
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 -----
 Country Name (2 letter code) [XX]:GB
 State or Province Name []:England
 Locality Name []:
 Organization Name []:Alice Ltd
 Organizational Unit Name []:Alice Ltd Certificate Authority
 Common Name []:Alice Ltd Intermediate CA
 Email Address []:


 openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem

 Enter pass phrase for ca.key.pem: secretpassword
 Sign the certificate? [y/n]: y

 chmod 444 intermediate/certs/intermediate.cert.pem

Verify the Intermediate certificate

With the help of below commands, we can read and verify the content of intermediate.cert.pem file.

1
2
3
4
5
6
7
 openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem

 openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

 intermediate.cert.pem: OK

Create the certificate chain file

Run below commands to create ca-chain.cert.pem file.

1
2
3
 cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
 chmod 444 intermediate/certs/ca-chain.cert.pem

Step 3: Create Sign server and client certificate

Create Key

1
2
3
4
 cd /root/ca
 openssl genrsa -aes256 \
      -out intermediate/private/www.example.com.key.pem 2048
 chmod 400 intermediate/private/www.example.com.key.pem

Create Certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 cd /root/ca
 openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/www.example.com.key.pem \
      -new -sha256 -out intermediate/csr/www.example.com.csr.pem

 Enter pass phrase for www.example.com.key.pem: secretpassword
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 -----
 Country Name (2 letter code) [XX]:US
 State or Province Name []:California
 Locality Name []:Mountain View
 Organization Name []:Alice Ltd
 Organizational Unit Name []:Alice Ltd Web Services
 Common Name []:www.example.com
 Email Address []:

 cd /root/ca
 openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.example.com.csr.pem \
      -out intermediate/certs/www.example.com.cert.pem
 chmod 444 intermediate/certs/www.example.com.cert.pem

Verify the certificate

1
2
3
4
5
 openssl x509 -noout -text \
      -in intermediate/certs/www.example.com.cert.pem

 openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
      intermediate/certs/www.example.com.cert.pem

Deploy the certificate

  • ca-chain.cert.pem
  • www.example.com.key.pem
  • www.example.com.cert.pem

Step 4: Create a JKS file

The above three files are used in the below command to create P12 and JKS key storage files.

1
2
3
4
 cd intermediate
 openssl pkcs12 -export -in certs/www.example.com.cert.pem -inkey private/www.example.com.key.pem      -chain -CAfile certs/ca-chain.cert.pem -name "www.example.com" -out www.example.com.p12

 keytool -importkeystore -deststorepass <password> -destkeystore www.example.com.jks -srckeystore      www.example.com.p12 -srcstoretype PKCS12

Ref: ssl-jks-creation

Step 5: To read or verify PKSC12 and JKS file

1
2
keytool -v -list -keystore www.example.com.jks
keytool -v -list -keystore www.example.com.p12

FAQ`s

How to read CSR file

To read the content of certificate request file i.e, CSR openssl req -noout -text -in www.example.csr.pem

Failed to updated DB TXT_DB error number 2

Refer this article when you get Failed to updated DB TXT_DB error number 2 get error.

How to include SAN part of CERT

Refer this article to include subject alternative names as part certificate i.e, CERT file

How to include SAN part of CSR

Refer this article to include subject alternative names as a part certificate request i.e, CSR file

Conclusion

I hope this article, will help you create a self-signed certificate. Please comment if you face any issues.

comments powered by Disqus