@pinelighteletype.inhttps://teletype.in/@pineligh?utm_source=teletype&utm_medium=feed_rss&utm_campaign=pinelighSat, 30 May 2026 16:31:40 GMTSat, 30 May 2026 16:31:40 GMThttps://teletype.in/@pineligh/x509https://teletype.in/@pineligh/x509?utm_source=teletype&utm_medium=feed_rss&utm_campaign=pinelighhttps://teletype.in/@pineligh/x509?utm_source=teletype&utm_medium=feed_rss&utm_campaign=pineligh#commentspinelighx509 certificate for serverTue, 21 Sep 2021 19:27:54 GMTthe following describes usage of openssl for issuing CA, mCA and server certificates.

bin for windows here (x64)

config file

you need to specify some properties in openssl.conf:

CA section:

[ ca ]
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = # directory in double quotes
certs             = $dir
new_certs_dir     = $dir
database          = $dir\\index.txt
serial = ./serial

# The root key and root certificate.
private_key       = $dir\\rootCA.key
certificate       = $dir\\rootCA.crt

default_md        = sha256

policy and request section: 

policy = policy_match

[policy_match]
commonName = supplied

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
default_md          = sha256

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
organizationName                = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name

extensions:

[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer

[ v3_mca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign
 
[ usr_cert ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = critical, keyCertSign, keyAgreement, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = DNS:# domain name

openssl

generate root CA certificate: 

set OPENSSL_CONF= # path without quotes

openssl req -config openssl.conf -newkey rsa:4096 -x509 -days 365 -passout pass:"qwerty" -extensions v3_ca -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="rootCA" -keyout rootCA.key -out rootCA.pem

generate middle CA certificate: 

openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="mCA" -keyout mCA.key -out mCA.csr

type null > "%CD%\index.txt"

echo 22 > "%CD%\serial"

openssl ca -verbose -config openssl.conf -extensions v3_mca -cert rootCA.pem -keyfile rootCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in mCA.csr -out mCA.pem -batch

generate server certificate:

echo 25 > "%CD%\serial"

openssl req -config openssl.conf -newkey rsa:4096 -passout pass:"qwerty" -multivalue-rdn -subj /C=RU/L=City/O=Organization/OU=OU/CN="domain name" -keyout server.key -out server.csr

openssl ca -verbose -config openssl.conf -extensions usr_cert -cert mCA.pem -keyfile mCA.key -days 365 -passin pass:"qwerty" -multivalue-rdn -in server.csr -out server.p -batch

create chain:

put server certificate in .pem file, put mCA certificate afterwards and rootCA in the end.

create private key file:

openssl rsa -in server.key -out plain.key

upload chain and key to Nginx

generating .p12 file

openssl pkcs12 -export -passin pass:"qwerty" -in server.crt -inkey server.key -chain -CAfile chain.pem -passout pass:"qwerty" -out packet.p12

chain here contains only mCA and rootCA certificates.

convert crt to pem:

openssl x509 -in server.crt -out server.pem -outform PEM
]]>