Signing a Server Certificate

Create a key

Our root and intermediate pairs are 4096 bits. Server and client certificates normally expire after one year, so we can safely use 2048 bits instead.

cd /etc/pki/CA
openssl genrsa -aes256 \
-out intermediate/private/www.example.com.key 2048

chmod 400 intermediate/private/www.example.com.key

Create a certificate

Use the private key to create a certificate signing request (CSR). The CSR details don’t need to match the intermediate CA. For server certificates, the Common Name must be a fully qualified domain name (eg, www.example.com), whereas for client certificates it can be any unique identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your root or intermediate certificate.

cd /etc/pki/CA
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/www.example.com.key \
-new -sha256 -out intermediate/csr/www.example.com.csr  
Enter pass phrase for www.example.com.key: secretpasswordYou are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [AU]:
State or Province Name [New South Wales]:
Locality Name []:
Organization Name [GatwardIT]:
Organizational Unit Name []:GatwardIT Web Services
Common Name []:www.example.com
Email Address []:

To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.

If we want to allow alternative DNS matches for the certificate we can use the SubjectAltNames section to define them.
Our config file has a section that will populate the SubjectAltNames section with the content of the environment variable SAN.

export SAN=DNS:www.example.com,DNS:hostname2.example.com,IP:192.168.1.2
cd /etc/pki/CA
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/www.example.com.csr \
-out intermediate/certs/www.example.com.pem
chmod 444 intermediate/certs/www.example.com.pem

Verify the certificate

openssl x509 -noout -text \
-in intermediate/certs/www.example.com.pem

Use the CA certificate chain file we created earlier (GatwardIT-chain.pem) to verify that the new certificate has a valid chain of trust.

openssl verify -CAfile intermediate/certs/GatwardIT-chain.pem \
intermediate/certs/www.example.com.pem