Sign server and client certificates
Sign server and client certificates
秋风醉了 发表于2年前
Sign server and client certificates
  • 发表于 2年前
  • 阅读 63
  • 收藏 0
  • 点赞 0
  • 评论 0


摘要: Sign server and client certificates

Sign server and client certificates

We will be signing certificates using our intermediate CA. You can use these signed certificates in a variety of situations, such as to secure connections to a web server or to authenticate clients connecting to a service.


The steps below are from your perspective as the certificate authority. A third-party, however, can instead create their own private key and certificate signing request (CSR) without revealing their private key to you. They give you their CSR, and you give back a signed certificate. In that scenario, skip the genrsa and req commands.

Create a key

Our root and intermediate pairs are 4096 bits. Server and client certificates normally expire after one year, so we can safely use 2048 bits instead.


Although 4096 bits is slightly more secure than 2048 bits, it slows down TLS handshakes and significantly increases processor load during handshakes. For this reason, most websites use 2048-bit pairs.

If you’re creating a cryptographic pair for use with a web server (eg, Apache), you’ll need to enter this password every time you restart the web server. You may want to omit the -aes256 option to create a key without a password.

➜  CA  openssl genrsa -aes256 -out intermediate/private/ 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/
Verifying - Enter pass phrase for intermediate/private/
➜  CA  chmod 400 intermediate/private/

Create a certificate

Use the private key to create a certificate signing request (CSR). The CSR details don’t need to match the intermediate CA. For server certificates, the Common Name must be a fully qualified domain name (eg,, whereas for client certificates it can be any unique identifier (eg, an e-mail address). Note that the Common Name cannot be the same as either your root or intermediate certificate.

➜  CA  openssl req -config intermediate/openssl.cnf -key intermediate/private/ -new -sha256 -out intermediate/csr/
Enter pass phrase for intermediate/private/
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:CN
State or Province Name [Beijing]:Beijing
Locality Name []:Haidian
Organization Name [Usoft Ltd]:Usoft Ltd
Organizational Unit Name []:Usoft Ltd gRPC services
Common Name []
Email Address []

To create a certificate, use the intermediate CA to sign the CSR. If the certificate is going to be used on a server, use the server_cert extension. If the certificate is going to be used for user authentication, use the usr_cert extension. Certificates are usually given a validity of one year, though a CA will typically give a few days extra for convenience.

➜  CA  openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/ -out intermediate/certs/
Using configuration from intermediate/openssl.cnf
Enter pass phrase for /Users/xinxingegeya/CA/intermediate/private/intermediate.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
            Not Before: Jan  3 07:45:47 2016 GMT
            Not After : Jan 12 07:45:47 2017 GMT
            countryName               = CN
            stateOrProvinceName       = Beijing
            localityName              = Haidian
            organizationName          = Usoft Ltd
            organizationalUnitName    = Usoft Ltd gRPC services
            commonName                =
            emailAddress              =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
                DirName:/C=CN/ST=Beijing/L=Beijing/O=Usoft Ltd/OU=dev/

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Jan 12 07:45:47 2017 GMT (375 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The intermediate/index.txt file should contain a line referring to this new certificate.

V       170112074547Z           1000    unknown /C=CN/ST=Beijing/L=Haidian/O=Usoft Ltd/OU=Usoft Ltd gRPC services/

Verify the certificate

➜  CA  openssl x509 -noout -text -in intermediate/certs/

The output will also show the X509v3 extensions. When creating the certificate, you used either the server_cert or usr_cert extension. The options from the corresponding configuration section will be reflected in the output.

Use the CA certificate chain file we created earlier (ca-chain.cert.pem) to verify that the new certificate has a valid chain of trust.

➜  CA  openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/
intermediate/certs/ OK

Deploy the certificate

You can now either deploy your new certificate to a server, or distribute the certificate to a client. When deploying to a server application (eg, Apache), you need to make the following files available:

  • ca-chain.cert.pem



If you’re signing a CSR from a third-party, you don’t have access to their private key so you only need to give them back the chain file (ca-chain.cert.pem) and the certificate (


  • 打赏
  • 点赞
  • 收藏
  • 分享
共有 人打赏支持
粉丝 216
博文 605
码字总数 432157
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
* 支付类型