Steps to Create a Certificate Chain
1. Create the Root Certificate Authority (CA)
Generate a private key for the Root CA:
openssl genrsa -out root.key 4096
Generate the Root CA certificate:
openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem -subj "/C=US/ST=State/L=City/O=RootOrg/OU=RootCA/CN=RootCA"
2. Create the Intermediate Certificate Authority (Optional)
Generate a private key for the Intermediate CA:
openssl genrsa -out intermediate.key 4096
Create a Certificate Signing Request (CSR) for the Intermediate CA:
openssl req -new -key intermediate.key -out intermediate.csr -subj "/C=US/ST=State/L=City/O=IntermediateOrg/OU=IntermediateCA/CN=IntermediateCA"
Sign the Intermediate CA certificate with the Root CA:
openssl x509 -req -in intermediate.csr -CA root.pem -CAkey root.key -CAcreateserial -out intermediate.pem -days 1825 -sha256 -extfile <(echo "basicConstraints=CA:TRUE,pathlen:0")
3. Create the Leaf Certificate
Generate a private key for the leaf certificate:
openssl genrsa -out leaf.key 2048
Create a Certificate Signing Request (CSR) for the leaf certificate:
openssl req -new -key leaf.key -out leaf.csr -subj "/C=US/ST=State/L=City/O=LeafOrg/OU=Leaf/CN=localhost"
Sign the leaf certificate with the Intermediate CA:
openssl x509 -req -in leaf.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out leaf.pem -days 825 -sha256 -extfile <(echo "basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
")
4. Combine the Certificates into a Chain
Concatenate the certificates to create a chain:
cat leaf.pem intermediate.pem root.pem > cert_chain.pem
Now you have:
leaf.key: Private key for the leaf certificate.
cert_chain.pem: Complete certificate chain.
5. Verify the Certificate Chain
Manually verify using OpenSSL:
openssl verify -CAfile root.pem -untrusted intermediate.pem leaf.pem
Top comments (0)