How to create a local CA certificate and subordinate CA using OpenSSL
Article ID: 166329
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Note: All commands are tested against OpenSSL 0.9.8r 8 Feb 2011 using Cygwin on a Windows 7 OS.
1. Create a new CA (private key/keyring and public key/certificate):
openssl req -new -x509 -days 3560 -extensions v3_ca -keyout caprivkey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
Explanation of commands:
| req | Request |
| -new x509 | Create a new x509 keypair |
| -days 3560 | Validity = ten years |
| -extensions v3_ca | Make this request a CA certificate (root CA) |
| -keyout caprivkey.pem | Output private key to "caprivkey.pem" |
| -out cacert.pem | Output public key (certificate) to "cacert.pem" |
| -config /usr/ssl/openssl.cnf | Use the config file given (optional command) |
2. Create a new subordinate CA private key:
openssl genrsa -out mysubca.key 1024
3. Create a new CSR from the CA private key:
openssl req -new -key mysubca.key -out mysubreq.csr
4. Use the CA certificate (item #1) to sign the CSR (item #3) as a subordinate CA:
openssl ca -extensions v3_ca -days 365 -out mysubcert.cer -policy policy_anything -in mysubreq.csr
Explanation of commands:
| ca | This will be a CA certificate |
| -extensions v3_ca | Add the CA certificate (signing) attribute to the certificate |
| -days 365 | Validity = one year |
| -out mysubcert.cer | Name the signed subordinate CA as "mysubcert.cer" |
| -policy policy_anything | Allow the "organization" field of the root CA to be different than the signed subordinate CA |
| -in mysubreq.csr | The name of the CSR created in item #3 |
Feedback
Yes
No
Powered by
