OpenSSL - How to create Chain Certificates

Introduction

Lately, a secure connection has become an essential requirement for nearly all business applications. The significance of a secure connection, especially through HTTPS protocols, cannot be overstated. In this regard, the importance of comprehending the functioning of SSL certificates cannot be underestimated. This holds true even for non-production environments, where ensuring the implementation of SSL connections is imperative. Therefore, a firm grasp of SSL connections is indispensable for our professional growth. In this blog post, I will guide you through the process of efficiently generating self-signed certificates at the enterprise level.

Image of the VPC we are setting up in this blog

1. Planning

2. Initialise OpenSSL

2-1. Install “tree” command

sudo apt install tree

2-2. Create a folder to store all the certificates and go into the folder

Please replace the folder name highlighted in yellow as necessary.

mkdir practice
cd practice

2-3. Create the main folder strucure for OpenSSL

mkdir -p {ca,mid-ca,server}/{private,certs,newcerts,crl,csr}

2-4. Change the permission of “Private Folder” and check the result

chmod -v 700 {ca,mid-ca,server}/private
ls -l ca mid-ca server

2-5. Create “Index” files

touch {ca,mid-ca}/index

2-6. Create “Serial” files

openssl rand -hex 16 > ca/serial
openssl rand -hex 16 > mid-ca/serial

2-7. Get the contents from links below and create the following 2 files

ca/ca.conf
mid-ca/mid-ca.conf

The original conf file can be found in /usr/lib/ssl/openssl.cnf

3. Create a CA certficate

3-1. Create a key file for “CA”

openssl genrsa –aes256 -out ca/private/ca.key 4096

3-2. Create a certificate file for “CA”

openssl req -config ca/ca.conf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/certs/ca.crt

4. Create an Intermediate certficate

4-1. Create a key file for “Intermedicate CA”

openssl genrsa -aes256 -out mid-ca/private/mid-ca.key 4096

4-2. Create a Certificate Signing Request (CSR) for “Intermediate CA”

openssl req -config ca/ca.conf -new -key mid-ca/private/mid-ca.key -sha256 -out mid-ca/csr/mid-ca.csr

4-3. Create a certificate file for “Intermediate CA”

openssl -config ca/ca.conf -extensions v3_mid_ca -days 3650 -notext -in mid-ca/csr/mid-ca.csr -out mid-ca/certs/mid-ca.crt

5. Create a Single Domain Certificate

Please replace the file name highlighted in yellow as necessary.

5-1. Create a key file for “Single Domain Certificate”

openssl genrsa -out server/private/DEV-WEB-EN001.key 2048

5-2. Create a Certificate Signing Request (CSR) for “Sigle Domain Certificate”

openssl req -config mid-ca/mid-ca.conf -key server/private/DEV-WEB-EN001.key -new -sha256 -out server/csr/DEV-WEB-EN001.csr

5-3. Create a certificate file for “Sigle Domain Certificate”

openssl ca -config mid-ca/mid-ca.conf -extensions server_cert -days 3650 -notext -in server/csr/DEV-WEB-EN001.csr -out server/certs/DEV-WEB-EN001.crt

5-4. Create a PFX Certificate file for “Sigle Domain Certificate”

openssl pkcs12 -inkey server/private/DEV-WEB-EN001.key -in server/certs/DEV-WEB-EN001.crt -export -out server/certs/DEV-WEB-EN001.pfx

How to check the contents of a certificate file (.crt)

openssl x509 -noout -text -in server/certs/DEV-WEB-EN001.crt

6. Create a Wildcard Certificate

Please replace the file name highlighted in yellow as necessary.

6-1. Create a key file for “Wildcard Certificate”

openssl genrsa -out server/private/Wildcard.key 2048

6-2. Create a Certificate Signing Request (CSR) for “Wildcard Certificate”

openssl req -config mid-ca/mid-ca.conf -key server/private/Wildcard.key -new -sha256 -out server/csr/Wildcard.csr

6-3. Create a certificate file for “Wildcard Certificate”

openssl ca -config mid-ca/mid-ca.conf -extensions server_cert_wildcard -days 3650 -notext -in server/csr/Wildcard.csr -out server/certs/Wildcard.crt

6-4. Create a PFX Certificate file for “Wildcard Certificate”

openssl pkcs12 -inkey server/private/Wildcard.key -in server/certs/Wildcard.crt -export -out server/certs/Wildcard.pfx

How to check the contents of a certificate file (.crt)

openssl x509 -noout -text -in server/certs/Wildcard.crt

7. Create a Multi Domain Certificate

Please replace the file name highlighted in yellow as necessary.

7-1. Create a key file for “Multi Domain Certificate”

openssl genrsa -out server/private/Multi-Domain.key 2048

7-2. Create a Certificate Signing Request (CSR) for “Multi Domain Certificate”

openssl req -config mid-ca/mid-ca.conf -key server/private/Multi-Domain.key -new -sha256 -out server/csr/Multi-Domain.csr

7-3. Create a certificate file for “Multi Domain Certificate”

openssl ca -config mid-ca/mid-ca.conf -extensions server_cert_multi -days 3650 -notext -in server/csr/Multi-Domain.csr -out server/certs/Multi-Domain.crt

7-4. Create a PFX Certificate file for “Multi Domain Certificate”

openssl pkcs12 -inkey server/private/Multi-Domain.key -in server/certs/Multi-Domain.crt -export -out server/certs/Multi-Domain.pfx

How to check the contents of a certificate file (.crt)

openssl x509 -noout -text -in server/certs/Multi-Domain.crt

8. Create a CA-bundle

Please replace the file name highlighted in yellow as necessary.

8-1. Merge 2 certificates (mid-ca.crt and ca.crt) using “cat” command
The order is “Intermidiate certificate” and “CA certficate”.

 cat mid-ca/certs/mid-ca.crt ca/certs/ca.crt > mid-ca/certs/ca-bundle.crt

8-2. Make the certificate “Read Only” for everyone

chmod 444 mid-ca/certs/ca-bundle.crt

8-3. Verify the certificate

openssl verify -CAfile ca/certs/ca.crt mid-ca/certs/ca-bundle.crt