Re: How to create intermediate CA certificate with openssl

Thu, 27 Nov 2014 00:04:15 -0800 

Jerry,

When you create the intermediate certificate, you need to add the
following attribute :-

basicConstraints=CA:true

Otherwise, the intermediate CA certificate can not issue server certificates.

Best regards,  John Mok

On Thu, Nov 27, 2014 at 3:43 PM, Jerry OELoo <oylje...@gmail.com> wrote:
> Hi All:
> Now I want to create a certificate chain by myself.
> It will looks like as below:
>
> Server Certificate -> Intermediate CA -> Root CA.
>
> Now I am using openssl command to create these certificate files.
>
>
> # Create CA
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
>
> # Create Intermediate
> openssl genrsa -out intermediate.key 4096
> openssl req -new -sha1 -key intermediate.key -out intermediate.csr
>
> # CA signs Intermediate
> openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey
> ca.key -set_serial 01 -out intermediate.crt
>
> # Create Server
> openssl genrsa -out test.example.com.key 4096
> openssl req -new -key test.example.com.key -out test.example.com.csr
>
> # Intermediate signs Server
> openssl x509 -req -days 1825 -in test.example.com.csr -CA
> intermediate.crt -CAkey intermediate.key -set_serial 01 -out
> test.example.com.crt
>
>
> Now I install ca.crt into WIndows7 local Trust Root Store. when I open
> test.example.com.crt file, I can see "Certificate chain" in
> "Certification Path".
>
> But I get 1 warning information on intermediate certificate "This
> certification authority is not allowed to issue certificates or cannot
> be used as an end-entity certificate."
>
> From search, I think this is because intermediate certificate/key is
> not a correct intermediate CA that it can not sign
> "test.example.com.crt".
>
> Please kindly give me some suggestion about how to use openssl command
> to sign "test.example.com.crt" with intermediate CA. Thanks!
>
> --
> Rejoice,I Desire!
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to