How to create the own certificate chain

certificatessl

I would like to set up my own OCSP Responder for testing purposes, and this requires me to have a Root certificate with a few certificates generated from it.

I've managed to create a self-signed certificate using openssl, and I want to use it as the Root certificate. The next step would be to create the derived certificates, however, I can't seem to find the documentation on how to do this. Does anyone know where I can find this information?

  • Edit:
    In retrospect, my question is not yet completely answered, and to clarify the problem, I'll represent my certificate chain like this: Root > A > B > C > …

I am currently able to create the Root and A certificates via the below, but I haven't found how to make a longer chain:

# Root certificate is created like this:
  openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
  openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

# Certificate A is created like this:
  openssl genrsa -out client.key 1024
  openssl req -new -key client.key -out client.csr
  openssl ca -in client.csr -out client.cer
  • This command implicitly depends on the root certificate, for which it finds the required info within the OpenSSL configuration file, however, certificate B must only rely on A, which is not registered in the config file, so the previous command won't work here.

What command should I use to create certificates B and beyond?

  • Edit:
    I found the answer in this article: Certificate B (chain A -> B) can be created with these two commands and this approach seems to be working well.:

    # Create a certificate request
    openssl req -new -keyout B.key -out B.request -days 365
    
    # Create and sign the certificate
    openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request
    

    I also changed the openssl.cnf file:

    [ usr_cert ]
    basicConstraints=CA:TRUE # prev value was FALSE
    

Best Answer

You can use OpenSSL directly.

  1. Create a Certificate Authority private key (this is your most important key):

    openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
    
  2. Create your CA self-signed certificate:

    openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
    
  3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:

    openssl genrsa -out client.key 1024
    openssl req -new -key client.key -out client.csr
    openssl ca -in client.csr -out client.cer
    

(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)