"openssl x509 -CA ..." - CA Signing Certificate

This section describes the 'openssl req -x509' command, which allows you to generate self-signed certificate from a CSR, an existing key pair, or an internally generated key pair.

The "openssl x509 -CA ..." command allows you to act as CA (Certificate Authority) to sign a CSR into a certificate as shown in the this tutorial:

1. Generate a self-signed certificate to be used as a CA.

herong$ openssl req -x509 -out ca-cert.pem \
  -newkey ec -pkeyopt ec_paramgen_curve:P-384 -keyout ca-key.pem

Generating an EC private key
writing new private key to 'key.pem'
Enter PEM pass phrase: TopSecret
Verifying - Enter PEM pass phrase: TopSecret

-----
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [AU]:ZZ
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.      
Organizational Unit Name (eg, section) []: 
Common Name (e.g. server FQDN or YOUR name) []:ZZ Root CA      
Email Address []:

2. Look at information in the CA certificate.

herong$ openssl x509 -in ca-cert.pem -noout \
  -subject -issuer -ext basicConstraints

subject=C = ZZ, CN = ZZ Root CA
issuer=C = ZZ, CN = ZZ Root CA
X509v3 Basic Constraints: critical
    CA:TRUE

3. Look at information in the CSR received.

herong$ openssl req -in csr.pem -subject -noout

subject=C = ZZ, L = My City, CN = Herong Yang

4. Sign the CSR into a certificate using ca-cert.pem and ca-key.pem.

heron$ openssl x509 -req -in csr.pem -out cert.pem \
  -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial

Signature ok
subject=C = ZZ, L = My City, CN = Herong Yang
Getting CA Private Key
Enter pass phrase for key.pem: TopSecret

5. Look at information in the certificate.

herong$ openssl x509 -in cert.pem -text -noout

Certificate:
  Data:
    Version: 1 (0x0)
    Serial Number:
      0f:00:6b:4c:69:47:e4:5d:39:88:3e:99:ad:e9:ab:ea:9a:6c:55:69
    Signature Algorithm: ecdsa-with-SHA256
    Issuer: C = ZZ, CN = ZZ Root CA
    Validity
      Not Before: Nov 18 22:01:43 2024 GMT
      Not After : Dec 18 22:01:43 2024 GMT
    Subject: C = ZZ, L = My City, CN = Herong Yang
    Subject Public Key Info:
      Public Key Algorithm: id-ecPublicKey
        Public-Key: (384 bit)
        pub:
          04:76:66:7b:d2:f6:c3:64:35:23:e2:63:d7:d1:9a:
          f8:e9:f5:7a:79:ac:82:0a:93:10:3d:f5:ce:b6:8b:
          ...
          c6:50:ea:f9:68:85:41
        ASN1 OID: secp384r1
        NIST CURVE: P-384
  Signature Algorithm: ecdsa-with-SHA256
    30:65:02:30:04:d8:b1:c7:f2:58:9a:ce:dc:bc:fd:a9:55:7e:
    5e:b9:57:d0:24:eb:50:6a:97:c0:ea:dc:12:52:da:33:e1:a1:
    ...
    7c:fa:37:05:ee:e9:32:f2:bb:cd:96:24:0e

Cool! I have successfully completed the entire certificate generation process using "openssl" commands: from private/public key generation, to CSR generation, to self-signed CA certificate generation, to CSR signing.

The final output, cert.pem, binds my name to my public key and bears a digital signature issued by a CA. But it contains only minimum information and not suitable for any PKI application.

In order generate a useable certificate, you need to use the "openssl ca" command as shown in next chapter.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

OpenSSL - Cryptography Toolkit

 What Is OpenSSL

 What Is "openssl" Command

 "openssl genpkey" - Generate Private Key

 "openssl genpkey -algorithm RSA" - RSA Private Key

 "openssl genpkey -algorithm EC" - EC Private Key

 "openssl req" - CSR (Certificate Signing Request)

 "openssl req -new" - Generate CSR from Key

 "openssl req -newkey ..." - Generate Key and CSR

 "openssl req -x509" - Generate Self-Signed Certificate

 "openssl x509" - X.509 Certificate Command

"openssl x509 -CA ..." - CA Signing Certificate

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB