Create a key
Our root and intermediate pairs are 4096 bits. Server and client certificates normally expire after one year, so we can safely use 2048 bits instead.
openssl genrsa -aes256 \
-out intermediate/private/www.example.com.key 2048
Create a certificate
Use the private key to create a certificate signing request (CSR). The CSR details don’t need to match the intermediate CA. For server certificates, the Common Name must be a fully qualified domain name (eg, www.example.com), whereas for client certificates it can be any unique identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your root or intermediate certificate.
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/www.example.com.key \
-new -sha256 -out intermediate/csr/www.example.com.csr
Enter pass phrase for
www.example.com.key: secretpasswordYou are about to be asked to enter information that will be incorporated
into your certificate request.
Country Name (2 letter code) [AU]:
State or Province Name [New South Wales]:
Locality Name :
Organization Name [GatwardIT]:
Organizational Unit Name :GatwardIT Web Services
Common Name :www.example.com
Email Address :
To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.
If we want to allow alternative DNS matches for the certificate we can use the SubjectAltNames section to define them.
Our config file has a section that will populate the SubjectAltNames section with the content of the environment variable SAN.
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
Verify the certificate
openssl x509 -noout -text \
Use the CA certificate chain file we created earlier (GatwardIT-chain.pem) to verify that the new certificate has a valid chain of trust.
openssl verify -CAfile intermediate/certs/GatwardIT-chain.pem \