I know there are a ton of other similar questions to this and I have been searching them and reading them for hours. Tried all sorts, but I just cant get it sorted. Here is what I want to do:
Make a certificate heirachy: Root <- SubCA1 <- SubCA2 <- Server Then make a chain SubCA1 <- SubCA2 <- Server Then be able to check that chain can be verified against the Root certificate.
I am using the script:
#!/bin/bash
# Create a root certificate (common name Root):
openssl ecparam -out RootKey.pem -name prime256v1 -genkey
openssl req -new -key RootKey.pem -x509 -nodes -days 3650 -out Root.pem -subj "/C=NZ/O=MyOrg/CN=Root"
# Create a SubCA1 certificate (common name SubCA1):
openssl req -out SubCA1.csr -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout SubCA1Key.pem -subj "/C=NZ/O=MyOrg/CN=SubCA1"
openssl x509 -req -in SubCA1.csr -CAkey RootKey.pem -CA Root.pem -days 3650 -out SubCA1.pem
# Create SubCA2 certificate (common name SubCA2):
openssl req -out SubCA2.csr -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout SubCA2Key.pem -subj "/C=NZ/O=MyOrg/CN=SubCA2"
openssl x509 -req -in SubCA2.csr -CAkey SubCA1Key.pem -CA SubCA1.pem -days 3650 -out SubCA2.pem
# Create a leaf certificate (common name Server)
openssl req -out Server.csr -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes -keyout ServerKey.pem -subj "/C=NZ/O=MyOrg/CN=Server"
openssl x509 -req -in Server.csr -CAkey SubCA2Key.pem -CA SubCA2.pem -days 3650 -out Server.pem
# Make a Server certificate chain up to but excluding root
cat SubCA1.pem SubCA2.pem Server.pem > ServerChain.pem
# Verify chain against root (Only verifies first cert in chain (SubCA1) against root - PASSES
openssl verify -CAfile Root.pem ServerChain.pem
# Make a chain of just SubCA1 and Sub CA2 and use as intermediates to verify Server against root - FAILS
cat SubCA1.pem SubCA2.pem > SubCAChain.pem
openssl verify -CAfile Root.pem -untrusted SubCAChain.pem Server.pem
I cant seem to get the chain of certificates to verify with open SSL, or in their final application.
I think the problem is that only my root certificate has CA:TRUE in it, the subCA certificates dont, but I cant work out how to make them have it.
Any ideas?
So, the easiest answer to this question that isn't just specific to my needs is to use https://certificatetools.com
There you can configure certificates and make certificate chains. With lots of easy check box options.
At the end you are given all the config files, openssl commands and the certificates. You can just download the keys/certs, or everything you need is there to make your own script file using the given openssl commands and config files.
Awesome tool, high five to the developer.