Try this...if you need some extensions you can add those in openssl.cnf.
export OPENSSL_CONF=./openssl.cnf PATH=.:$PATH # Root Certificate openssl genrsa -out ROOT.key 2048 openssl req -new -x509 -key ROOT.key -sha1 -out ROOT.cert.pem -extensions root_cert -days 7400 openssl asn1parse -in ROOT.cert.pem -out ROOT.cer -noout openssl genrsa -out endcert_key.key 2048 #openssl req -new -key endcert_key -sha1 -out end_cert.cert.pem.unsigned -days 10000 openssl req -new -key endcert_key.key -out end_cert.cert.pem.unsigned -days 7400 cp ROOT.cert.pem demoCA/cacert.pem cat /dev/null > demoCA/index.txt openssl ca -in end_cert.cert.pem.unsigned -keyfile ROOT.key -extensions end_cert -out end_cert.cert.pem -notext You can add these lines in openssl.cnf [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions = crl_ext default_days = 7400 # how long to certify for default_crl_days= 30 # how long before next CRL # Changed by Bhupendra #default_md = md5 # which md to use. default_md = sha1 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = optional organizationName = optional organizationalUnitName = optional commonName = optional #countryName = match [root_cert] keyUsage=critical, keyCertSign, cRLSign subjectKeyIdentifier=hash basicConstraints= critical, DER:30:06:01:01:ff:02:01:01 [end_cert] keyUsage=critical, keyCertSign, cRLSign subjectKeyIdentifier=hash #authorityKeyIdentifier=keyid:always,issuer:always authorityKeyIdentifier=keyid:always #basicConstraints= critical, CA:TRUE, pathLenConstraint:0 basicConstraints= critical, DER:30:06:01:01:ff:02:01:00 Regards Ram -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mr.Rout Sent: Thursday, November 03, 2011 10:28 AM To: openssl-users@openssl.org Subject: RE: Help in Generating Chained ROOT Certificate Thanks Dave. Probably i have not understood the things properly. After surfing through Google i got confused. Actually I am doing TLS Client Testing which authenticate the Server(www.https.com in my example). Steps I followed to achieve this: 1) Created a Self signed Certificate where Issuer & Subject are having Same CN i.e. www.https.com 2) Then i import Server.pem file on TLS Client and same at Server also. Here are the Openssl Commands to generate Self-Signed-Certificate. openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Question here is : Can we create "Certficate Hirearchy" ? Like ROOT( Issuer=X & Subect=X) --- > SubCA(Issuer=X & Subect=Y) Please help me in generating this hierarchies . Thanks in advance . -Best Regards, Rout Dave Thompson-5 wrote: > >> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout >> Sent: Monday, 31 October, 2011 13:43 > >> I am newbie to Openssl. I am confused about Chained ROOT >> certificates? >> Could someone please guide me the step by step approach for generating >> Chained ROOT certificate? >> >> e.g. My Server name is "www.https.com ( I successfully >> generated Self-signed >> SSL certificate where i put CN=www.https.com ) >> >> But wondering how would i able to generate ROOT certificate ? >> >> Awaiting for a nice reply with lucid explanation. >> > You'll have to ask a lucid question first. > > Root certificates aren't chained; if they were they wouldn't be roots. > A self-signed certificate is its own root; it never chains to anything. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > -- View this message in context: http://old.nabble.com/Help-in-Generating-Chained-ROOT-Certificate-tp32753985 p32770603.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
