Create the Intermediary's Private Key and Certificate Signing Request We have new certificate names for our intermediary use and define policy_loose so future certificate requests don't have to match country, state/province, or organization. Private_key = $dir/private/Ĭertificate = $dir/cers/ Similar to the root_ca.cnf, the is required and will gather it's configuration from the section. Create your OpenSSL intermediary config fileĬopy the GIST openssl_intermediate.cnf file to /root/ca/intermediate/openssl_intermediate.cnf and modify the contents for your own naming conventions. This will be used for future certificate revocation needs. Similar to the earlier serial statement, this will create the crlnumber file and start the numerical iteration at 1000. # echo 1000 > serial Create a crlnumber file for the intermediary CA to use # echo 1000 > /root/ca/intermediate/crlnumber Create your intermediary CA database to keep track of signed certificates # cd /root/ca/intermediate Some of my best friends are flat directory structures and we don't judge personal practices. It's your decision if you if you want to do something different. We're creating the same directory structure previously used under /root/ca within /root/ca/intermediary. Create your directory structureĬreate a new subdirectory under /root/ca to segregate intermediary files our root configuration. The chain of trust will extend from the root certificate to the intermediary certificate down to the certificates you'll deploy within your infrastructure. It acts as an authoritative proxy for the root certificate hence the name intermediary. We are now ready to complete our CA chain by creating and signing the intermediary certificate. The intermediary will be responsible for signing client and server certificate requests. Previously we created the first part of our OpenSSL CA by building our root certificate. ![]() ![]() Creating Your Intermediary Certificate Authority
0 Comments
Leave a Reply. |