Signing a Server Certificate

Create a key

Our root and intermediate pairs are 4096 bits. Server and client certificates normally expire after one year, so we can safely use 2048 bits instead.

cd /etc/pki/CA
openssl genrsa -aes256 \
-out intermediate/private/ 2048

chmod 400 intermediate/private/

Create a certificate

Use the private key to create a certificate signing request (CSR). The CSR details don’t need to match the intermediate CA. For server certificates, the Common Name must be a fully qualified domain name (eg,, whereas for client certificates it can be any unique identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your root or intermediate certificate.

cd /etc/pki/CA
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/ \
-new -sha256 -out intermediate/csr/  
Enter pass phrase for secretpasswordYou are about to be asked to enter information that will be incorporated
into your certificate request.
Country Name (2 letter code) [AU]:
State or Province Name [New South Wales]:
Locality Name []:
Organization Name [GatwardIT]:
Organizational Unit Name []:GatwardIT Web Services
Common Name []
Email Address []:

To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.

If we want to allow alternative DNS matches for the certificate we can use the SubjectAltNames section to define them.
Our config file has a section that will populate the SubjectAltNames section with the content of the environment variable SAN.

cd /etc/pki/CA
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/ \
-out intermediate/certs/
chmod 444 intermediate/certs/

Verify the certificate

openssl x509 -noout -text \
-in intermediate/certs/

Use the CA certificate chain file we created earlier (GatwardIT-chain.pem) to verify that the new certificate has a valid chain of trust.

openssl verify -CAfile intermediate/certs/GatwardIT-chain.pem \