Certificate Generation using OpenSSL locally

Steps to Create a Certificate Chain

1. Create the Root Certificate Authority (CA)
Generate a private key for the Root CA:

openssl genrsa -out root.key 4096

Generate the Root CA certificate:

openssl req -x509 -new -nodes -key root.key -sha2…


This content originally appeared on DEV Community and was authored by Adarsh Singh

Steps to Create a Certificate Chain

1. Create the Root Certificate Authority (CA)
Generate a private key for the Root CA:

openssl genrsa -out root.key 4096

Generate the Root CA certificate:

openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem -subj "/C=US/ST=State/L=City/O=RootOrg/OU=RootCA/CN=RootCA"

2. Create the Intermediate Certificate Authority (Optional)
Generate a private key for the Intermediate CA:

openssl genrsa -out intermediate.key 4096

Create a Certificate Signing Request (CSR) for the Intermediate CA:

openssl req -new -key intermediate.key -out intermediate.csr -subj "/C=US/ST=State/L=City/O=IntermediateOrg/OU=IntermediateCA/CN=IntermediateCA"

Sign the Intermediate CA certificate with the Root CA:

openssl x509 -req -in intermediate.csr -CA root.pem -CAkey root.key -CAcreateserial -out intermediate.pem -days 1825 -sha256 -extfile <(echo "basicConstraints=CA:TRUE,pathlen:0")

3. Create the Leaf Certificate

Generate a private key for the leaf certificate:

openssl genrsa -out leaf.key 2048

Create a Certificate Signing Request (CSR) for the leaf certificate:

openssl req -new -key leaf.key -out leaf.csr -subj "/C=US/ST=State/L=City/O=LeafOrg/OU=Leaf/CN=localhost"

Sign the leaf certificate with the Intermediate CA:

openssl x509 -req -in leaf.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out leaf.pem -days 825 -sha256 -extfile <(echo "basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
")

4. Combine the Certificates into a Chain
Concatenate the certificates to create a chain:

cat leaf.pem intermediate.pem root.pem > cert_chain.pem

Now you have:

leaf.key: Private key for the leaf certificate.

cert_chain.pem: Complete certificate chain.

5. Verify the Certificate Chain
Manually verify using OpenSSL:

openssl verify -CAfile root.pem -untrusted intermediate.pem leaf.pem


This content originally appeared on DEV Community and was authored by Adarsh Singh


Print Share Comment Cite Upload Translate Updates
APA

Adarsh Singh | Sciencx (2025-01-11T16:20:26+00:00) Certificate Generation using OpenSSL locally. Retrieved from https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/

MLA
" » Certificate Generation using OpenSSL locally." Adarsh Singh | Sciencx - Saturday January 11, 2025, https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/
HARVARD
Adarsh Singh | Sciencx Saturday January 11, 2025 » Certificate Generation using OpenSSL locally., viewed ,<https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/>
VANCOUVER
Adarsh Singh | Sciencx - » Certificate Generation using OpenSSL locally. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/
CHICAGO
" » Certificate Generation using OpenSSL locally." Adarsh Singh | Sciencx - Accessed . https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/
IEEE
" » Certificate Generation using OpenSSL locally." Adarsh Singh | Sciencx [Online]. Available: https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/. [Accessed: ]
rf:citation
» Certificate Generation using OpenSSL locally | Adarsh Singh | Sciencx | https://www.scien.cx/2025/01/11/certificate-generation-using-openssl-locally/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts