Example: Root CA to sign client certificate
This example shows you how to create a root ca to sign client certificate (because of the config pathlen:0). It's used in the article: How to configure certification based client authentication with Nginx ?
If you want to be your own CA, this sections show you how to create a root CA certificate.
It will create:
- a private key
- and a self-signed certificate
The config file with:
[ req ] # Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`) distinguished_name = req_distinguished_name # does not prompt for dn fields prompt = no # Extension to add when the -x509 option is used (certificate creation in one pass) x509_extensions = ca_certificate_extensions # Default md (message digest to use for the hash/fingerprint) # option: SHA-1 is deprecated, so use SHA-2 family instead # TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm # https://support.apple.com/en-us/HT210176 default_md = sha256 [ req_distinguished_name ] # CN used to create the CA root C = YourCountry O = YourOrganisationFullName CN = YourOrganisationName [ ca_certificate_extensions ] # A CA certificate must contains: CA: true # pathlen: 0 - the certificate can only be used to sign end user certificates and not further CAs. basicConstraints = critical, CA:true, pathlen:0 # Key Usage keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Used to sign server or client auth extendedKeyUsage=serverAuth, clientAuth # as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always
- With the one liner to generate a self signed root certificate and the private key 1)
openssl req \ -x509 `# Ask a certification` \ -newkey rsa:2048 `# Ask a rsa private key of size 2048 bit` \ -nodes `# don't encrypt the private key` \ -keyout root_private_key.pem `# the name if the private key file` \ -out root_certificate.pem `# the name of the root certificate ` \ -config ca.ini `# the DN information for the certificate request` \ -sha256 `# sha2 family required by apple https://support.apple.com/en-us/HT210176 ` \ -days 1460 `# 5 ans as seen on the root certificate `
Generating a RSA private key ..............................................+++++ ..............................................+++++ writing new private key to 'root_private_key.pem' -----