how create a chain of self signed certificates

how create a chain of self signed certificates
moralesrdAsked:
Who is Participating?
 
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
ok. the CA default for openssl requires that you have all the files in a particular pattern (this is documented in your openssl.cnf file) but in short, you will need the following structure:

directories:
demoCA
demoCA/certs
demoCA/crl
demoCA/newcerts
demoCA/private

files:
demoCA/cacert.pem
demoCA/private/cakey.pem

(you should copy your cert1 cert and key to the above two, or edit the openssl.cnf to reflect the names and path)

note that demoCA should be a subdir of the directory you are working in.

now, you can start running openssl commands!

openssl req -new -keyout cert2.pem -out req.pem

Open in new window


this will create your certificate request and private key

 openssl ca -policy policy_anything -days 365 -in req.pem -out cert2.cer

Open in new window


this will sign the new request with the CA key, giving you your new cert (in pem format)

openssl pkcs12 -in cert2.cer -inkey cert2.pem -certfile cert1.cer -export -out cert2.p12

Open in new window


which gives you your pfx.

now, wouldn't xca be easier ? :)
0
 
arnoldCommented:
Explain?
Create your own self signed CA.
Then use the CA to create a subordinate CA
Use the subordinate CA to sign CSRs.


Certificate will have the chain of
CA
Subordinate CA
 Certificate.
0
 
moralesrdAuthor Commented:
Could you provide an example using openssl?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Dave HoweSoftware and Hardware EngineerCommented:
there is no such thing as a chain of self signed certificates.

arnold is correct - the procedure is to create your own CA, then sign each cert in the chain with the cert above it in the hierarchy (down to the final usage cert)

http://sourceforge.net/projects/xca is a better choice than this than "straight" openssl, but I can give you the command line procedure if you really want it.
0
 
moralesrdAuthor Commented:
Could you provide a command procedure with the assumption that I already have the signer (cert1.cer/cert1.pem/cert1.p12) then I will generate the signed certificate (cert2.cer/cert2.pem/cert2.p12).

If you can provide an example using the values above would great for me to understand.
0
 
moralesrdAuthor Commented:
I'm planing to use the windows tool, but I want to finish first using the openssl... so, where I can add the information related to the certificate? a mean, where in the syntax that you provided? C=country O=organization OU=department CN=common name

any particular syntax?
0
 
arnoldCommented:
A chain deals with the signing process/hierarchy rather than common names.

Not sure what you are asking.
0
 
moralesrdAuthor Commented:
is there is a way to sign a certificate without the pass-phrase of the issuer authority?
0
 
arnoldCommented:
If it is your CA, it is up to you to set a passphrase or not set one.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
@moralesrd:

The defaults for CN etc are in the openssl.cnf but it will prompt *anyhow* for that info, so not worth messing with.

If there *is* a passphrase for the secret key, then yes, you need the passphrase and you won't live long enough to crack it unless you get really lucky with a passphrase brute-force search. If you don't have the CA password, then you should create a new CA keypair (or ask whomever DID have that passphrase nicely for it :)

no, you can't sign without the passphrase. the passphrase is the encryption key for the pem file, and the contents of the pemfile are required for signing.
0
 
moralesrdAuthor Commented:
I already import the p12 with the issuer authority in XCA but I'm having problems to generate a certificate signed for the issuer.  Could you provide me some hints?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
if the private key for the CA is in XCA, then if you right click on the CA certificate in the "certificates" tab and select "New Certificate" you will be prompted to create a new certificate (this should usually be of type "Https_server"

if you have an external CSR, you can import that into the CSR tab, right click it, select "sign", then export the resulting certificate from the certificates tab.

if these options aren't available, check that the CA cert shows a key available in its detail page - that is the usual reason why you can't sign stuff.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.