Shammer's Philosophy

My private adversaria

Generate a certitifate and a private key of intermediate CA

SSL

This is a next step of Generate Root CA certificate whose extensions are equivalent as DigiCert Global Root CA - Shammerism
Based on My CA preparation supporting OCSP - Shammerism, the certificate of intermediate CA should include OCSP URL and CRL Distribution Points of Root CA.

Using this config file should be parameter as -config when executing openssl req -new with -config option.

$ cat generate-intermediate-ca-csr.conf
[ default ]
ca	  = TotoRiottoIntermediateCA
dir	  = .
name_opt  = multiline,-esc_msb,utf8

[ req ]
default_bits	   = 2048
encrypt_key	   = yes
default_md	   = sha256
utf8		   = yes
string_mask	   = utf8only
prompt		   = no
distinguished_name = ca_dn
req_extensions	   = x509_extensions

[ ca_dn ]
countryName            = "JP"
stateOrProvinceName    = "Kanagawa"
localityName           = "Yokohama"
organizationName       = "TotoRiotto"
commonName	       = "TotoRiotto Intermediate CA"

[ x509_extensions ]
keyUsage             = critical,keyCertSign,cRLSign
basicConstraints     = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash

The command to generate intermediate CA's CSR is below.

openssl req -new -config generate-intermediate-ca-csr.conf -nodes -keyout TotoRiottoIntermediateCA/private/ca.key -out TotoRiottoIntermediateCA/csr.pem


After generated CSR, sign this CSR by RootCA. Then, be careful about x509 extension.

$ cat sign-by-RootCA.conf
[ default ]
ca	  = TotoRiottoRootCA
dir	  = .
name_opt  = multiline,-esc_msb,utf8

[ ca ]
default_ca = root_ca

[ root_ca ]
certificate        = $dir/$ca/cacert.pem
private_key        = $dir/$ca/private/ca.key
new_certs_dir      = $dir/$ca/certs
serial             = $dir/$ca/certificate_serial
crlnumber          = $dir/$ca/crl_serial
database           = $dir/$ca/database
unique_subject     = yes
default_md	   = sha256
default_days       = 3650
default_bits	   = 2048
default_crl_days   = 1
email_in_dn        = no
policy             = match_pol
encrypt_key	   = yes
utf8		   = yes
string_mask	   = utf8only
prompt		   = no
x509_extensions	   = x509_extensions

[ match_pol ]
countryName         = match
stateOrProvinceName = optional
localityName        = optional
organizationName    = match
commonName          = supplied

[ x509_extensions ]
keyUsage               = critical,digitalSignature,keyCertSign,cRLSign
basicConstraints       = critical,CA:true,pathlen:0
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess    = @issuer_info
crlDistributionPoints  = @crl_info

[ issuer_info ]
OCSP;URI.0 = http://ocsp.totoriotto.xyz/

[ crl_info ]
URI.0 = http://pki.totoriotto.xyz/root-ca.crl

Sign command is below.

$ openssl ca -config sign-by-RootCA.conf -in TotoRiottoIntermediateCA/csr.pem -out TotoRiottoIntermediateCA/cacert.pem

The X509 Extensions of this certificate is like below.

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Certificate Sign, CRL Sign
    X509v3 Basic Constraints: critical
        CA:TRUE, pathlen:0
    X509v3 Subject Key Identifier: 
        87:DA:25:73:E1:96:07:3C:E8:BF:EE:A0:0D:D6:B1:2A:76:68:73:66
    X509v3 Authority Key Identifier: 
        keyid:25:20:B1:12:6D:F3:C9:87:A4:98:1B:06:BD:EC:8A:2D:68:21:33:2A

    Authority Information Access: 
        OCSP - URI:http://ocsp.totoriotto.xyz/

    X509v3 CRL Distribution Points: 

        Full Name:
          URI:http://pki.totoriotto.xyz/root-ca.crl