doc/security/openssl_selfsigned_certificate_chain.adoc

= OpenSSL Self-signed Certificate Chain

// Copyright 2023 Jake Winters
// SPDX-License-Identifier: CC-BY-4.0

Version: 0.0.5.14


This documentation contains the complete set of commands to create a new OpenSSL self-signed
certificate chain with V3 subjectAltName (SAN) extensions enabled.
Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string.
Each key can be encrypted or unencrypted, with multiple encryption options; AES is recommended.
Optional verification can also be performed between multiple levels of certificates to ensure the
chain of trust is valid.


== Create Certificate Authority Key

`openssl genrsa -aes256 -out ca-key.pem 4096`

== Verify Certificate Authority Key

`openssl rsa -noout -text -in ca-key.pem`

== Create Certificate Authority Certificate

`openssl req -new -x509 -days 3653 -extensions v3_ca -key ca-key.pem -out ca-crt.pem`

== Convert Certificate to PEM Format

`openssl x509 -in ca-crt.pem -out ca-crt.pem -outform PEM`

== Verify Certificate Authority Certificate

`openssl x509 -noout -text -in ca-crt.pem`

== Create Intermediate Certificate Authority Key

`openssl genrsa -aes256 -out intermediate-key.pem 4096`

== Verify Intermediate Certificate Authority Key

`openssl rsa -noout -text -in intermediate-key.pem`

== Create Intermediate Certificate Signing Request

`openssl req -new -sha256 -key intermediate-key.pem -out intermediate-csr.pem`

== Create Intermediate Certificate Authority Certificate

`openssl ca -config intermediate.conf -extensions v3_intermediate_ca -days 1096 -notext -md sha256 -in intermediate-csr.pem -out intermediate-crt.pem`

== Verify Intermediate Certificate Authority Certificate

`openssl x509 -noout -text -in intermediate-crt.pem`

== Verify Chain of Trust (CA to Intermediate)

`openssl verify -CAfile ca-crt.pem intermediate-crt.pem`

== Create Server Key

`openssl genrsa -aes256 -out server-key.pem 2048`

== Verify Server Key

`openssl rsa -noout -text -in server-key.pem`

== Create Server Cerificate Signing Request

`openssl req -new -sha256 -subj "/C=/ST=/L=/O=/CN=" -addext "subjectAltName = DNS.1:" -key server-key.pem -out server-csr.pem`

== Create Server Certificate

`openssl x509 -sha256 -req  -days 365 -in server-csr.pem -CA intermediate-crt.pem -CAkey intermediate-key.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out server-crt.pem`

== Verify Server Certificate

`openssl x509 -noout -text -in server-crt.pem`

== Verify Chain of Trust (Intermediate to Server)

`openssl verify -CAfile intermediate-crt.pem server-crt.pem`
Clarify documentation is for self-signed certificate chains. 2023-05-30 00:52:23 +01:00			`= OpenSSL Self-signed Certificate Chain`
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00
Add copyright and licensing header 2023-07-16 02:52:56 +01:00			`// Copyright 2023 Jake Winters`
			`// SPDX-License-Identifier: CC-BY-4.0`

			`Version: 0.0.5.14`
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00

			`This documentation contains the complete set of commands to create a new OpenSSL self-signed`
			`certificate chain with V3 subjectAltName (SAN) extensions enabled.`
			`Multiple SANs can be included in a certificate by adding each domain as a comma-delimited string.`
Correction for key encryption, not certificate encryption. 2023-05-30 00:30:55 +01:00			`Each key can be encrypted or unencrypted, with multiple encryption options; AES is recommended.`
Mention optional chain of trust verification. 2023-05-30 00:44:14 +01:00			`Optional verification can also be performed between multiple levels of certificates to ensure the`
			`chain of trust is valid.`
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00

			`== Create Certificate Authority Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl genrsa -aes256 -out ca-key.pem 4096`

			`== Verify Certificate Authority Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl rsa -noout -text -in ca-key.pem`

			`== Create Certificate Authority Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl req -new -x509 -days 3653 -extensions v3_ca -key ca-key.pem -out ca-crt.pem`

			`== Convert Certificate to PEM Format`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl x509 -in ca-crt.pem -out ca-crt.pem -outform PEM`

			`== Verify Certificate Authority Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl x509 -noout -text -in ca-crt.pem`

			`== Create Intermediate Certificate Authority Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl genrsa -aes256 -out intermediate-key.pem 4096`

Clarify intermediate certificate authority key verification is for intermediate certificate authority key. 2023-05-30 00:35:14 +01:00			`== Verify Intermediate Certificate Authority Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Fix intermediate certificate authority key filename. 2023-05-30 00:37:41 +01:00			`openssl rsa -noout -text -in intermediate-key.pem`
Also verify intermediate certificate authority key. 2023-05-30 00:33:48 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`== Create Intermediate Certificate Signing Request`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl req -new -sha256 -key intermediate-key.pem -out intermediate-csr.pem`

			`== Create Intermediate Certificate Authority Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl ca -config intermediate.conf -extensions v3_intermediate_ca -days 1096 -notext -md sha256 -in intermediate-csr.pem -out intermediate-crt.pem`

Also verify intermediate certificate authority certificate. 2023-05-30 00:36:59 +01:00			`== Verify Intermediate Certificate Authority Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Also verify intermediate certificate authority certificate. 2023-05-30 00:36:59 +01:00			`openssl x509 -noout -text -in intermediate-crt.pem`

Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`== Verify Chain of Trust (CA to Intermediate)`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl verify -CAfile ca-crt.pem intermediate-crt.pem`

			`== Create Server Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl genrsa -aes256 -out server-key.pem 2048`

Also verify server key. 2023-05-30 00:39:23 +01:00			`== Verify Server Key`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Also verify server key. 2023-05-30 00:39:23 +01:00			`openssl rsa -noout -text -in server-key.pem`

Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`== Create Server Cerificate Signing Request`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl req -new -sha256 -subj "/C=/ST=/L=/O=/CN=" -addext "subjectAltName = DNS.1:" -key server-key.pem -out server-csr.pem`

			`== Create Server Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Add OpenSSL Certificate Chain documentation. 2023-05-30 00:27:10 +01:00			`openssl x509 -sha256 -req -days 365 -in server-csr.pem -CA intermediate-crt.pem -CAkey intermediate-key.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out server-crt.pem`
Also verify server certificate. 2023-05-30 00:40:31 +01:00
			`== Verify Server Certificate`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Also verify server certificate. 2023-05-30 00:40:31 +01:00			`openssl x509 -noout -text -in server-crt.pem`
Also verify chain of trust from intermediate certificate authority certificate to server certificate. 2023-05-30 00:42:17 +01:00
			`== Verify Chain of Trust (Intermediate to Server)`
Fix AsciiDoc syntax. 2023-06-01 16:52:51 +01:00
Also verify chain of trust from intermediate certificate authority certificate to server certificate. 2023-05-30 00:42:17 +01:00			`openssl verify -CAfile intermediate-crt.pem server-crt.pem`