Create the intermediate pair
Create the intermediate pair
秋风醉了 发表于2年前
Create the intermediate pair
  • 发表于 2年前
  • 阅读 24
  • 收藏 0
  • 点赞 0
  • 评论 0


摘要: Create the intermediate pair

Create the intermediate pair

An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

The purpose of using an intermediate CA is primarily for security. The root key can be kept offline and used as infrequently as possible. If the intermediate key is compromised, the root CA can revoke the intermediate certificate and create a new intermediate cryptographic pair.

Prepare the directory

The root CA files are kept in ~/CA. Choose a different directory (~/CA/intermediate) to store the intermediate CA files.

➜  CA  mkdir intermediate
➜  CA  ll
total 24
drwxr-xr-x  3 xinxingegeya  staff   102B  1  3 12:31 certs
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 12:00 crl
-rw-r--r--  1 xinxingegeya  staff     0B  1  3 12:00 index.txt
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 13:49 intermediate
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 12:00 newcerts
-rw-r--r--  1 xinxingegeya  staff   4.1K  1  3 12:56 openssl.cnf
drwx------  3 xinxingegeya  staff   102B  1  3 12:25 private
-rw-r--r--  1 xinxingegeya  staff     5B  1  3 12:01 serial
➜  CA  cd intermediate
➜  intermediate  ll
➜  intermediate  mkdir certs crl csr newcerts private
➜  intermediate  chmod 700 private
➜  intermediate  touch index.txt
➜  intermediate  echo 1000 > serial

Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists.

➜  intermediate  echo 1000 > ~/CA/intermediate/crlnumber


➜  intermediate  touch ~/CA/intermediate/openssl.cnf


Create the intermediate key

Create the intermediate key (intermediate.key.pem). Encrypt the intermediate key with AES 256-bit encryption and a strong password.

➜  CA  openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem:
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem:
➜  CA  chmod 400 intermediate/private/intermediate.key.pem

Create the intermediate certificate

Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.


Make sure you specify the intermediate CA configuration file (intermediate/openssl.cnf).

➜  CA  openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:CN
State or Province Name [Beijing]:Beijing
Locality Name []:Beijing
Organization Name [Usoft Ltd]:Usoft Ltd
Organizational Unit Name []:it
Common Name []
Email Address []

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate. Ten years would be reasonable.


This time, specify the root CA configuration file (~/CA/openssl.cnf).

➜  CA  openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /Users/xinxingegeya/CA/private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
            Not Before: Jan  3 07:25:21 2016 GMT
            Not After : Dec 31 07:25:21 2025 GMT
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Usoft Ltd
            organizationalUnitName    = it
            commonName                =
            emailAddress              =
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Dec 31 07:25:21 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
➜  CA

The index.txt file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.

V       251231072521Z           1001    unknown /C=CN/ST=Beijing/O=Usoft Ltd/OU=it/

Verify the intermediate certificate

As we did for the root certificate, check that the details of the intermediate certificate are correct.

➜  CA  openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

➜  CA  openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
intermediate/certs/intermediate.cert.pem: OK

Create the certificate chain file

When an application (eg, a web browser) tries to verify a certificate signed by the intermediate CA, it must also verify the intermediate certificate against the root certificate. To complete the chain of trust, create a CA certificate chain to present to the application.

To create the CA certificate chain, concatenate the intermediate and root certificates together. We will use this file later to verify certificates signed by the intermediate CA.

➜  CA  cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem


Our certificate chain file must include the root certificate because no client application knows about it yet. A better option, particularly if you’re administrating an intranet, is to install your root certificate on every client that needs to connect. In that case, the chain file need only contain your intermediate certificate.


  • 打赏
  • 点赞
  • 收藏
  • 分享
共有 人打赏支持
粉丝 216
博文 605
码字总数 432157
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
* 支付类型