I would like to set up my own OCSP Responder for testing purposes, and this requires me to have a Root certificate with a few certificates generated from it.
I've managed to create a self-signed certificate using
openssl, and I want to use it as the Root certificate. The next step would be to create the derived certificates, however, I can't seem to find the documentation on how to do this. Does anyone know where I can find this information?
In retrospect, my question is not yet completely answered, and to clarify the problem, I'll represent my certificate chain like this: Root > A > B > C > …
I am currently able to create the Root and A certificates via the below, but I haven't found how to make a longer chain:
# Root certificate is created like this: openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Certificate A is created like this: openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer
- This command implicitly depends on the root certificate, for which it finds the required info within the OpenSSL configuration file, however, certificate B must only rely on A, which is not registered in the config file, so the previous command won't work here.
What command should I use to create certificates B and beyond?
I found the answer in this article: Certificate B (chain A -> B) can be created with these two commands and this approach seems to be working well.:
# Create a certificate request openssl req -new -keyout B.key -out B.request -days 365 # Create and sign the certificate openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
I also changed the
[ usr_cert ] basicConstraints=CA:TRUE # prev value was FALSE