Compare commits

..

2 commits

View file

@ -180,6 +180,7 @@ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
``` ```
## Create Certificate Chain ## Create Certificate Chain
### Preparation
```sh ```sh
mkdir -p /root/intermediate mkdir -p /root/intermediate
echo 1000 > /root/intermediate/serial echo 1000 > /root/intermediate/serial
@ -263,14 +264,33 @@ authorityKeyIdentifier = keyid,issuer # Authority key iden
openssl genrsa -out /root/intermediate/intermediate.key.pem 4096 openssl genrsa -out /root/intermediate/intermediate.key.pem 4096
``` ```
Requesting and signing intermediate certificate: ### Requesting an Intermediate Certificate
Be sure to specify a fantasy domain name as "Common Name" while generating the request.
```sh ```sh
cd /root/intermediate cd /root/intermediate
# Create Request # Create Request
openssl req -new -newkey rsa:2048 -nodes -key intermediate.key.pem -out intermediate.req openssl req -new -newkey rsa:2048 -nodes -key intermediate.key.pem -out intermediate.req
```
# Sign Certificate ### Signing the Intermediate Certificate
```sh
openssl ca -config /root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.req -out intermediate.cer
```
You might notice, that - probably due to an error in the lab's paper - signing the certificate is not working.
This is caused by the `policy_strict` policy which requires the country, city and company of certificate requests to equal with the corresponding fields of the CA's certificate.
Change the CA's `policy` configuration to `policy_loose` in order to address the issue:
```sh
sed -i 's/^\(policy *= policy_\)strict/\1loose/' /root/ca/openssl.cnf
```
After that, signing works properly:
```sh
openssl ca -config /root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.req -out intermediate.cer openssl ca -config /root/ca/openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate.req -out intermediate.cer
``` ```