Issuing CA Signing Certificate with OpenSSL - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to issue CA signing certificate using OpenSSL provided the CA signing CSR.

Simplified Procedure

Issuing Self-signed CA Signing Certificate

The CSR can be self-signed as follows:

$ openssl x509 \
    -req \
    -in ca_signing.csr \
    -signkey ca_signing.key \
    -days 365 \
    -out ca_signing.crt

Issuing CA Signing Certificate with Another CA

$ openssl x509 \
    -req \
    -in ca_signing.csr \
    -CA root_ca_signing.crt \
    -CAkey root_ca_signing.key \
    -CAcreateserial \
    -days 365 \
    -out ca_signing.crt

Advanced Procedure

$ openssl x509 \
    -req \
    -in ca_signing.csr \
    -CA root_ca_signing.crt \
    -CAkey root_ca_signing.key \
    -CAcreateserial \
    -out ca_signing.crt \
    -extfile openssl.cfg \
    -extensions ca_extensions

Verification

$ openssl x509 -text -noout -in ca_signing.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            b1:d0:b4:f2:8e:e6:7d:4b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = EXAMPLE, CN = Certificate Authority
        Validity
            Not Before: Mar  5 18:44:04 2019 GMT
            Not After : Mar  4 18:44:04 2020 GMT
        Subject: O = EXAMPLE, CN = Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:8a:7b:fd:37:2c:58:49:55:32:3c:e3:69:a0:
                    1c:8f:92:87:73:d1:fa:ae:a8:45:98:eb:0b:fd:56:
                    1d:6c:dc:d3:91:90:f7:8b:90:d5:07:8b:05:14:41:
                    d3:33:01:28:28:aa:41:2a:1f:61:91:8f:25:69:15:
                    16:8e:d8:9d:0c:9b:b6:f8:d0:4f:2c:96:be:93:44:
                    3e:29:45:88:42:4a:35:ae:d8:12:8e:60:8d:fa:83:
                    19:16:1e:cc:a3:c7:d5:d5:62:d2:06:73:63:c1:b5:
                    2b:31:e4:4a:c4:e6:91:fe:ba:1a:62:02:30:1f:94:
                    5a:e9:cc:6c:54:71:a7:80:07:eb:8d:73:ed:8a:e1:
                    69:ee:a8:f3:51:b6:d1:04:14:4f:d8:ba:4a:0e:4e:
                    39:47:39:65:48:b8:73:d3:da:a0:a3:5d:f9:6f:2d:
                    b3:12:b7:d4:b1:6a:26:6b:e7:73:bd:f5:95:23:6e:
                    ee:9b:60:c4:cc:73:0c:00:71:0b:64:ce:81:48:91:
                    18:68:65:16:fb:2e:1c:1d:0b:ae:87:3e:81:a3:56:
                    18:2f:a4:47:a7:a4:61:b8:cc:e5:20:b3:7b:6b:f5:
                    f3:9d:2e:99:73:c3:95:fe:14:65:91:95:54:52:16:
                    ba:b6:a4:90:fe:e5:cd:4d:a7:9f:6b:ab:06:ad:15:
                    8d:75
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         4f:1d:b9:2c:37:22:9f:00:02:c7:4e:b4:d1:a9:ac:19:39:2a:
         a0:7a:73:9c:87:7d:31:00:3d:56:bc:1b:a3:33:b8:8d:49:de:
         74:fe:9c:4e:57:20:64:81:01:ed:ce:32:c5:38:aa:3c:99:24:
         86:d5:b4:c4:93:b5:2b:f9:59:fb:60:3d:e6:91:dd:6a:7f:d4:
         44:35:46:c0:41:16:aa:17:3b:77:aa:82:d5:40:79:0d:f8:30:
         65:a6:6a:7d:7b:e6:b5:4a:38:ae:9d:aa:e0:a8:f1:a1:65:20:
         15:1f:fe:71:ff:77:d5:0a:76:b7:4f:17:cd:d2:b0:2a:71:79:
         1d:c4:ee:48:4a:51:55:2a:fc:c5:0a:4b:c1:3a:3f:bd:88:81:
         28:6a:cb:de:de:af:b2:2b:e2:5b:90:14:2c:09:7d:fb:13:2f:
         47:b0:a9:ca:17:40:66:14:c5:6d:eb:7c:b0:f3:ce:1d:39:b2:
         44:dc:26:7d:58:ea:16:6f:8b:41:c9:11:60:12:1c:b7:ca:e2:
         74:94:48:84:2f:3a:93:17:31:0b:2f:57:da:6a:be:64:f3:f9:
         0b:53:c5:55:44:f0:4e:fa:46:c6:a0:31:5f:5e:52:d7:b0:3d:
         a5:70:39:03:76:a2:14:d8:c2:19:06:18:99:15:6e:b4:de:e3:
         33:21:90:4e

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️