# How to create the own certificate chain

certificatessl

I would like to set up my own OCSP Responder for testing purposes, and this requires me to have a Root certificate with a few certificates generated from it.

I've managed to create a self-signed certificate using openssl, and I want to use it as the Root certificate. The next step would be to create the derived certificates, however, I can't seem to find the documentation on how to do this. Does anyone know where I can find this information?

• Edit:
In retrospect, my question is not yet completely answered, and to clarify the problem, I'll represent my certificate chain like this: Root > A > B > C > …

I am currently able to create the Root and A certificates via the below, but I haven't found how to make a longer chain:

# Root certificate is created like this:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

# Certificate A is created like this:
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer

• This command implicitly depends on the root certificate, for which it finds the required info within the OpenSSL configuration file, however, certificate B must only rely on A, which is not registered in the config file, so the previous command won't work here.

What command should I use to create certificates B and beyond?

• Edit:
I found the answer in this article: Certificate B (chain A -> B) can be created with these two commands and this approach seems to be working well.:

# Create a certificate request
openssl req -new -keyout B.key -out B.request -days 365

# Create and sign the certificate
openssl ca -policy policy_anything -keyfile A.key -cert A.pem -out B.pem -infiles B.request


I also changed the openssl.cnf file:

[ usr_cert ]
basicConstraints=CA:TRUE # prev value was FALSE


You can use OpenSSL directly.

1. Create a Certificate Authority private key (this is your most important key):

openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key

2. Create your CA self-signed certificate:

openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

3. Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:

openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer


(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)