• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

how create a chain of self signed certificates

how create a chain of self signed certificates
0
moralesrd
Asked:
moralesrd
  • 5
  • 4
  • 3
1 Solution
 
arnoldCommented:
Explain?
Create your own self signed CA.
Then use the CA to create a subordinate CA
Use the subordinate CA to sign CSRs.


Certificate will have the chain of
CA
Subordinate CA
 Certificate.
0
 
moralesrdAuthor Commented:
Could you provide an example using openssl?
0
 
Dave HoweCommented:
there is no such thing as a chain of self signed certificates.

arnold is correct - the procedure is to create your own CA, then sign each cert in the chain with the cert above it in the hierarchy (down to the final usage cert)

http://sourceforge.net/projects/xca is a better choice than this than "straight" openssl, but I can give you the command line procedure if you really want it.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
moralesrdAuthor Commented:
Could you provide a command procedure with the assumption that I already have the signer (cert1.cer/cert1.pem/cert1.p12) then I will generate the signed certificate (cert2.cer/cert2.pem/cert2.p12).

If you can provide an example using the values above would great for me to understand.
0
 
Dave HoweCommented:
ok. the CA default for openssl requires that you have all the files in a particular pattern (this is documented in your openssl.cnf file) but in short, you will need the following structure:

directories:
demoCA
demoCA/certs
demoCA/crl
demoCA/newcerts
demoCA/private

files:
demoCA/cacert.pem
demoCA/private/cakey.pem

(you should copy your cert1 cert and key to the above two, or edit the openssl.cnf to reflect the names and path)

note that demoCA should be a subdir of the directory you are working in.

now, you can start running openssl commands!

openssl req -new -keyout cert2.pem -out req.pem

Open in new window


this will create your certificate request and private key

 openssl ca -policy policy_anything -days 365 -in req.pem -out cert2.cer

Open in new window


this will sign the new request with the CA key, giving you your new cert (in pem format)

openssl pkcs12 -in cert2.cer -inkey cert2.pem -certfile cert1.cer -export -out cert2.p12

Open in new window


which gives you your pfx.

now, wouldn't xca be easier ? :)
0
 
moralesrdAuthor Commented:
I'm planing to use the windows tool, but I want to finish first using the openssl... so, where I can add the information related to the certificate? a mean, where in the syntax that you provided? C=country O=organization OU=department CN=common name

any particular syntax?
0
 
arnoldCommented:
A chain deals with the signing process/hierarchy rather than common names.

Not sure what you are asking.
0
 
moralesrdAuthor Commented:
is there is a way to sign a certificate without the pass-phrase of the issuer authority?
0
 
arnoldCommented:
If it is your CA, it is up to you to set a passphrase or not set one.
0
 
Dave HoweCommented:
@moralesrd:

The defaults for CN etc are in the openssl.cnf but it will prompt *anyhow* for that info, so not worth messing with.

If there *is* a passphrase for the secret key, then yes, you need the passphrase and you won't live long enough to crack it unless you get really lucky with a passphrase brute-force search. If you don't have the CA password, then you should create a new CA keypair (or ask whomever DID have that passphrase nicely for it :)

no, you can't sign without the passphrase. the passphrase is the encryption key for the pem file, and the contents of the pemfile are required for signing.
0
 
moralesrdAuthor Commented:
I already import the p12 with the issuer authority in XCA but I'm having problems to generate a certificate signed for the issuer.  Could you provide me some hints?
0
 
Dave HoweCommented:
if the private key for the CA is in XCA, then if you right click on the CA certificate in the "certificates" tab and select "New Certificate" you will be prompted to create a new certificate (this should usually be of type "Https_server"

if you have an external CSR, you can import that into the CSR tab, right click it, select "sign", then export the resulting certificate from the certificates tab.

if these options aren't available, check that the CA cert shows a key available in its detail page - that is the usual reason why you can't sign stuff.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now