Creating a Certificate Authority and Using it to Sign Your Own Certificates for Testing

Owned by Tran Tang
Last updated: Jul 12, 2019 by Eric McDonald
2 min read

How can an adopter create a Certificate Authority and use it to sign its own certificates?

It can be useful in testing scenarios to create a CA signing certificate and use it to sign certificates. Please see the link below for more detailed information.

  1. Create a folder for storing CA certificates and then set the dir= property to point to it in openssl.cnf

  2. In order to create a CA certificate using openssl, issue a command like the following: 

    $ openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem

  3. Create a certificate request:

    $ openssl req -new -nodes -out provider-req.pem -keyout private/provider-key.pem

  4. Use the CA to generate the signed certificate using the request:

    $ openssl ca -out provider-cert.pem -infiles provider-req.pem

  5. The signed certificate can be converted to pkcs12 and then imported into a JKS keystore:

    $ openssl pkcs12 -export -in provider-cert.pem -inkey private/provider-key.pem > provider.p12
$ keytool -importkeystore -srckeystore provider.p12 -destkeystore /path/to/somekeystore.jks -srcstoretype pkcs12
 

     

How to add Subject Alternate Name to the certificates?

In case of Direct, the Subject Alternate Name is required in the certificates. Below are the steps to create a certificate with Subject Alternate Name.

  1. Update the following sections in openssl.cnf (you can find this file under /etc/pki/tls)

    1. Add a copy_extensions setting to the appropriate CA configuration section.

      # openssl Configuration File
...
[req]
req_extensions=v3_req

    2. Add the following req_extensions setting to the [req] section (if not already present in your openssl.cnf file):

      # openssl Configuration File
...
[CA_default]
copy_extensions=copy

    3. Add the [v3_req] section header (if not already present in your openssl.cnf file). Under the [v3_req] section, add or modify the subjectAltName setting, setting it to the list of your DNS host names.:

      # openssl Configuration File
...
[v3_req]
subjectAltName=DNS:direct.connectopensource.org
  2. Follow the steps from the previous section to create the certificates.

Making a certificate that will be signed by an external CA-OpenSSL