Hands on with Golang.
Generate Certificate authority key.
openssl genrsa -out ca.key 4096
Self sign CA
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=TH/ST=Bangkok/L=Bangkok/O=example/OU=Personal/CN=Kone CA/subjectAltName=DNS:kone-ca.com" \
-key ca.key \
-out ca.crt
view certificate
openssl x509 -in ca.crt -text
Create key pair for hello-service
openssl genrsa -out hello-service.com.key 4096
Create certificate signing request for hello-service
openssl req -sha512 -new \
-subj "/C=TH/ST=Bangkok/L=Bangkok/O=example/OU=Personal/CN=Awesome hello service/subjectAltName=DNS:hello-service.com" \
-key hello-service.com.key \
-out hello-service.com.csr
create v3.ext file with the following content.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=hello-service.com
DNS.2=*.hello-service.com
create certificate
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in hello-service.com.csr \
-out hello-service.com.crt
Generate key pair for intermediate certificate.
openssl genrsa -out ica1.key 4096
Create certificate signing request.
openssl req -new -sha512 -subj "/C=TH/ST=Bangkok/L=Bangkok/O=example/OU=Personal/CN=Inter Kone CA" -key ica1.key -out ica1.csr
Prepare for openssl config
touch index.txt
touch serial
echo 01 > serial
create openssl-ica.cnf
touch openssl-ica.cnf
Added to openssl-ica.cnf file
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = .
certs = .
new_certs_dir = .
database =./index.txt
default_md = sha512
policy = policy_match
serial = ./serial
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
Sign intermediate certificate with our root CA
openssl ca -config openssl-ica.cnf -extensions v3_intermediate_ca -days 3650 -cert ca.crt -keyfile ca.key -in ica1.csr -out ica1.pem
convert to pem
openssl x509 -in ica1.pem -out ica1-x509.pem -outform PEM
bundle certificate
cat ica1-x509.pem ca.crt > kone-bundle-cert.pem
Sing hello-server with intermediate certificate
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ica1.pem -CAkey ica1.key -CAcreateserial \
-in hello-service.com.csr \
-out hello-service-by-iac.com.crt
REF :
https://www.ssl.com/faqs/what-is-an-x-509-certificate/
https://www.golinuxcloud.com/openssl-create-certificate-chain-linux