3.1. Issue Server-side Certificates

This chapter describes how to issue server-side certificates using OpenSSL command-line tools.

Generate a new private key for the server

You can choose either RSA or EC keys, but you need to pay attention to the key length:

• RSA 2048
• EC 256

Here is an example using RSA:

 1MY_CA_L2_DIR=$RSA_CA_R1_DIR          # The directory of the intermediate CA.
 2
 3NEW_CERT_DOMAIN=www.your-domain.com
 4NEW_SERVER_KEY_PATH=$MY_CA_L2_DIR/private/server-$NEW_CERT_DOMAIN.key.pem
 5
 6openssl genrsa -rand $MY_CA_L2_DIR/.rand -out $NEW_SERVER_KEY_PATH 2048
 7
 8# [Optional] Protect the private key with a password.
 9# openssl genrsa -rand $MY_CA_L2_DIR/.rand -aes-256-cfb -out $NEW_SERVER_KEY_PATH 2048
10
11# Or you can use EC keys
12# openssl ecparam -rand $MY_CA_L2_DIR/.rand -genkey -name prime256v1 -noout -out $NEW_SERVER_KEY_PATH
13
14# [Optional] Protect the private EC key with a password, you can use the following command.
15# openssl ec -aes-256-cfb -in $NEW_SERVER_KEY_PATH -out $NEW_SERVER_KEY_PATH

Generate a certificate signing request file (xxx.csr.pem)

Just like the process of issuing an intermediate CA certificate, the process of issuing a server certificate is also divided into two steps.

Firstly, create a draft of the application form (xxx.csr.cnf), which is a text file describing the detailed information of the certificate to be applied for.

 1NEW_SERVER_CERT_REQ_PATH=$MY_CA_L2_DIR/csr/server-$NEW_CERT_DOMAIN.csr.cnf
 2
 3cat > $NEW_SERVER_CERT_REQ_PATH << EOL
 4[ req ]
 5distinguished_name  = req_distinguished_name
 6string_mask         = utf8only
 7req_extensions      = req_ext
 8x509_extensions     = v3_req
 9
10# SHA-1 is deprecated, so use SHA-2 instead.
11default_md          = sha256
12prompt              = no
13
14[ req_distinguished_name ]
15# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
16commonName                      = $NEW_CERT_DOMAIN
17
18[req_ext]
19subjectAltName = @alt_names
20
21[v3_req]
22subjectAltName = @alt_names
23
24[alt_names]
25# IP.1 = 127.0.0.1
26DNS.1 = $NEW_CERT_DOMAIN
27EOL

NOTE: Don’t miss the subjectAltName in the server certificate, otherwise the browser will not recognize it.

Then use the openssl req command to add your certificate public key (note that this is the key of the new certificate, not the key of the CA) to the application form, and sign the application form with your certificate private key to get a new file xxx.csr.pem, which is a BASE64-encoded DER file.

1NEW_SERVER_CERT_CSR_PATH=$MY_CA_L2_DIR/csr/server-$NEW_CERT_DOMAIN.csr.pem
2
3openssl req \
4    -config $NEW_SERVER_CERT_REQ_PATH \
5    -new -sha256 \
6    -key $NEW_SERVER_KEY_PATH \
7    -out $NEW_SERVER_CERT_CSR_PATH

You can view the detailed information of the file with the following command.

1openssl req \
2    -in $NEW_SERVER_CERT_CSR_PATH \
3    -noout \
4    -text

Sign the certificate

Now, everything is ready, let’s sign the certificate, with an intermediate CA:

 1NEW_SERVER_CERT_PATH=$MY_CA_L2_DIR/issued_certs/server-$NEW_CERT_DOMAIN.cert.pem
 2
 3openssl ca \
 4    -config $MY_CA_L2_DIR/ca.cnf \
 5    -extensions server_cert \
 6    -days 180 \
 7    -notext \
 8    -md sha256 \
 9    -batch \
10    -in $NEW_SERVER_CERT_CSR_PATH \
11    -out $NEW_SERVER_CERT_PATH

Here is the explanation of the command:

• Option -config $MY_CA_L2_DIR/ca.cnf

  This option specifies the configuration file of the CA, which is described in the previous chapter.

• Option -batch

  This option indicates that the batch automation mode is used, and the information is read directly from the CA configuration and command-line parameters. So no interactive input is required.

• Option -md sha256

  Specifies the hash algorithm to use when signing the certificate. If omitted, the algorithm specified by default_md in the CA configuration file is used.

• Option -days

  Specifies the validity period of the certificate (from the system time when it is signed), in days. If omitted, the duration specified by default_days in the CA configuration file is used.

  If you need to generate a certificate for a specific time (such as an expired certificate for some test scenarios), you can replace the parameter -days 180 with -startdate 220101000000Z -enddate 220301000000Z. Where,

  • -startdate indicates the start time of the certificate validity period, in the format YYMMDDhhmmssZ, where the year, month, day, hour, minute, and second are represented by 2 digits each, and the Z at the end indicates the use of the UTC time zone.
  • -enddate indicates the end time of the certificate validity period, in the same format as above.

And then, check the detailed information of the generated certificate with this command.

1openssl x509 -noout -text -in $NEW_SERVER_CERT_PATH

You can check whether the intermediate CA certificate can be used to verify the server certificate with the following command.

1openssl verify -CAfile $MY_CA_L2_DIR/ca.fullchain.pem $NEW_SERVER_CERT_PATH

Generate the full chain of the server certificate

In the previous command, a chain of certificates is used, because a full chain is required to verify the server certificate.

So, you need to generate a full chain of the server certificate.

1NEW_SERVER_FULLCHAIN_PATH=$MY_CA_L2_DIR/issued_certs/server-$NEW_CERT_DOMAIN.fullchain.pem
2
3cat > $NEW_SERVER_FULLCHAIN_PATH << EOL
4$(cat $NEW_SERVER_CERT_PATH)
5
6$(cat $MY_CA_L2_DIR/ca.fullchain.pem)
7EOL

Then, verify the certificate chain with the following command.

1openssl verify -CAfile $MY_CA_L2_DIR/ca.fullchain.pem $NEW_SERVER_FULLCHAIN_PATH

Now, a server certificate has been successfully issued, and you can use it to configure your server.