Use the CA private key and certificate to create an intermediate CA

This document uses the root CA private key and certificate created in the experiment environment to create an intermediate CA. For easy differentiation, the CA that creates an intermediate CA (intermediate CA) is called the root CA ).

For more information about how to use OpenSSL to create a root CA, see this article.

The intermediate CA is the proxy of the root CA. Its certificate is issued by the root CA, and the intermediate CA can issue the user certificate on behalf of the root CA, thus establishing a trust chain.

The advantage of creating an intermediate CA is that even if the private key of the intermediate CA is disclosed, the impact is controllable. We only need to use the root CA to cancel the certificate of the intermediate CA. In addition, the root CA private key can be properly stored offline and used only when the intermediate CA certificate is revoked and updated.

We create our intermediate CA based on the created root CA, which is consistent with the previous article. Assume that the root directory of the certificate is/etc/pki/CA, store the certificate-related information of the intermediate CA in your own directory. To reflect the transfer logic of the trust chain, you can create a directory under/etc/pki/CA, assume that the certificate Directory of the intermediate CA is/etc/pki/CA/intermediate /.

The process of initializing the certificate directory is no different from that when the root CA is created:

# Mkdir/etc/pki/CA/intermediate # cd/etc/pki/CA/intermediate # mkdir certs crl newcerts private # chmod 700 private # touch index.txt # echo 1000> serial

Next, create the private key of the intermediate CA, and use the AES-256 algorithm to encrypt the private key of the intermediate CA. In the middle, let's enter the encryption key, and finally modify the access permission of the private key of the intermediate CA:

# Cd/etc/pki/CA # openssl genrsa-aes256-out intermediate/private/intermediate. key. pem 4096

Enter pass phrase for intermediate. key. pem:SECRETVerifying-Enter pass phrase for intermediate. key. pem:SECRET

# Chmod 400 intermediate/private/intermediate. key. pem

To apply for a public key Certificate from the root CA, the intermediate CA must first generate a Request file in the CSR (Certificate Signing Request, Certificate Signing Request) format, send it to the root CA and wait for its review of the intermediate CA.

Copy the configuration file used to create the root CA to the intermediate CA certificate Directory. This configuration file is useful when generating the CSR file and subsequently issuing the user certificate.

Create and edit intermediate_CA.cnf:

# Cp/etc/pki/CA/root_CA.cnf/etc/pki/CA/intermediate/intermediate_CA.cnf

# Cd/etc/pki/CA/intermediate
# Vim intermediate_CA.cnf
...
[CA_default]
Dir =/etc/pki/CA/intermediate
Certs = $ dir/certs
Private = $ dir/private
Certificate = $ certs/intermediate. cert. pem
Private_key = $ private/intermediate. key. pem

In the future, each time we use an intermediate CA to create a new certificate, we will notify OpenSSL intermediate CA information in the form of "-config/etc/pki/CA/intermediate/intermediate_CA.cnf.

Intermediate_CA.cnf applies for a validity period of 365 days by default. If you want to modify the validity period, you can modify it in the "default_days" field of [CA_default.

Then you can generate the CSR file:

# Cd/etc/pki/CA/intermediate # openssl req-config intermediate_CA.cnf-sha256-new-key private/intermediate. key. pem-out certs/intermediate. csr. pem

Then the system will ask us to enter the private key password of the intermediate CA, set some identity information of the intermediate CA, and so on. Note that the "Organization Name" must be the same as that set at the root CA.

After correctly entering the identity information of the intermediate CA, we get the CSR of the intermediate CA.

Next, we use the root CA to agree to the request from the intermediate CA, because we will use the root CA's private key to sign the intermediate CA certificate. At this time, the system will ask us to enter the root CA's private key password, select the signature certificate as follows:

# Cd/etc/pki/CA # openssl ca-config root_CA.cnf \-extensions v3_ca-notext-md sha256-in intermediate/certs/intermediate. csr. pem-out intermediate/certs/intermediate. cert. pem

Using configuration from root_CA.cnf
Enter pass phrase for/etc/pki/CA/private/ca. key. pem:
Check that the request matches the signature
Signature OK
Certificate Details:

...

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated

# Chmod 444 intermediate/certs/intermediate. cert. pem

At this point, we have generated a public key certificate for the intermediate CA. Below we can verify the authenticity of this certificate:

# Openssl verify-CAfile/etc/pki/CA/certs/ca. cert. pem/etc/pki/CA/intermediate/certs/intermediate. cert. pem

/Etc/pki/CA/intermediate/certs/intermediate. cert. pem: OK

The system displays "OK", indicating that the certificate we issued to the intermediate CA is valid.

At this point, we can issue a certificate to a common customer in a way similar to that obtained by an intermediate CA, but we will do so as an intermediate CA. Since the intermediate CA certificate has also been authenticated by the upper-level CA, the complete CA certificate chain must be provided to OpenSSL in the future.

So our work is not complete yet. Next we will construct such a CA certificate chain. In fact, it is very simple to append the root CA certificate to the intermediate CA certificate. In the production environment, CA certificates at all levels are public. Therefore, you can append the certificates in sequence to generate a file called "CA certificate chain.

# Cd/etc/pki/CA # cat intermediate/certs/intermediate. cert. pem certs/ca. cert. pem> intermediate/certs/ca-chain.cert.pem # chmod 444 intermediate/certs/ca-chain.cert.pem

In the future, we want to verify the certificate issued by our intermediate CA, such as www.example.com. cert. pem, so that we can:

# Openssl verify-CAfile/etc/pki/CA/intermediate/certs/ca-chain.cert.pem/etc/pki/CA/intermediate/certs/www.example.com. cert. pem/etc/pki/CA/intermediate/certs/www.example.com. cert. pem: OK

So far, we have successfully created an intermediate CA. Use it to issue a user certificate. Although it is only an experiment environment, do not forget to review it as necessary!

Use the CA private key and certificate to create an intermediate CA