openSSL sign https_client certificate with CA

Question

I need to:

• create a CA certificate
• create a https_client-certificate
• sign the https_client-certificate by the CA

by using the

Answer 1

You are using 'openssl ca' tool which uses the following configuration file by default: /etc/ssl/openssl.cnf. In other words you were not trying to sign with your CA certificate but using default values from that config file. You were also passing -x509 parameter to the client certificate signing request which lead to an invalid csr.

Please, find below the working generation and signing commands.

Generate CA key and cert:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'

Generate client key and csr:

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'

Generate client cert signed with CA cert:

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

Of course you can set your config file to use right CA files and use the 'openssl ca' tool after that.

You can verify your certificate like this:

openssl verify -verbose -CAfile rootCA.pem client1.pem