CA creation notes

From Mann Systems
Jump to: navigation, search

Root CA

  • Create root CA key
# openssl genrsa -out key.pem -aes256 4096

Configuration file not used by this subcommand.

  • Create and self-sign root CA request, adding CA extensions
# openssl req -config conffile -new -x509 -days 7300 -in key.pem -out cert.pem

This command will read the [req] section of the configuration file for the following settings:

distinguished_name = <section>
x509_extensions = <section>
default_md = <hash_algorithm> (or -<hash_algorithm> on command line)


Intermediate CA

  • Create intermediate CA key
# openssl genrsa -out key.pem -aes256 4096
  • Create CSR with no requested extensions
# openssl req -config conffile -new -in key.pem -out csr.pem
  • Sign CSR using root CA, adding intermediate CA extensions
# openssl ca -config conffile -in csr.pem -out cert.pem -extensions <section>

Client/Server certificate

  • Create private key on device where certificate is to be used [genrsa]
  • Create CSR, with any request extensions (subjectAltName etc) [req -reqexts]
  • Send CSR to CA. DO NOT send private key.
  • Sign CSR using CA, adding client/server extensions and copying requested extensions [ca -extensions]
  • Send signed cert back to device where it is to be used




subcommand Generate key Generate CSR Self-sign Sign CSR
genrsa Y
req Y* Y Y
ca Y Y
x509 Y Y