Documentation - OpenSSL Self-signed Certificate Chain

This documentation contains the complete set of commands to create a new OpenSSL self-signed certificate chain with V3 subjectAltName (SAN) extensions enabled. SANs can be included in a certificate by adding each domain as a comma-delimited string.

Each key can be encrypted or unencrypted, with multiple encryption options; AES (aes128 or aes256) is recommended.

Optional verification can also be performed between multiple levels of certificates to ensure the chain of trust is valid.

This documentation is also available in portable AsciiDoc format in my documentation source code repository.

Create Certificate Authority Key

openssl genrsa <encryption type> -out <CA key name>.pem <key size>

Verify Certificate Authority Key

openssl rsa -noout -text -in <CA key name>.pem

Create Certificate Authority Certificate

openssl req -new -x509 -days <days of validity> -extensions v3_ca -key <CA key name>.pem -out <CA certificate name>.pem

Convert Certificate to PEM Format

openssl x509 -in <CA certificate name>.pem -out <CA certificate name>.pem -outform PEM

Verify Certificate Authority Certificate

openssl x509 -noout -text -in <CA certificate name>.pem

Create Intermediate Certificate Authority Key

openssl genrsa <encryption type> -out <intermediate CA key name>.pem <key size>

Verify Intermediate Certificate Authority Key

openssl rsa -noout -text -in <intermediate CA key name>.pem

Create Intermediate Certificate Authority Signing Request

openssl req -new -sha256 -key <intermediate CA key name>.pem -out <intermediate CA certificate signing request name>.pem

Create Intermediate Certificate Authority Certificate

openssl ca -config <intermediate CA configuration file> -extensions v3_intermediate_ca -days <days of validity> -notext -md sha256 -in <intermediate CA signing request name>.pem -out <intermediate CA certificate name>.pem

Verify Intermediate Certificate Authority Certificate

openssl x509 -noout -text -in <intermediate CA certificate name>.pem

Verify Chain of Trust (CA to Intermediate)

openssl verify -CAfile <CA certificate name>.pem <intermediate CA certificate name>.pem

Create Server Key

openssl genrsa <encryption type> -out <server key name>.pem <key size>

Verify Server Key

openssl rsa -noout -text -in <server key name>.pem

Create Server Certificate Signing Request

openssl req -new -sha256 -subj "/C=<country>/ST=<state/province>/L=<locality>/O=<organization>/CN=<common name>" -addext "subjectAltName = DNS.1:<alternative DNS entry>" -key <server key name>.pem -out <server certificate signing request name>.pem

Create Server Certificate

openssl x509 -sha256 -req  -days <days of validity> -in <server certificate signing request name>.pem -CA <intermediate CA certificate name>.pem -CAkey <intermediate CA key name>.pem -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS.1:")) -out <server certificate name>.pem

Verify Server Certificate

openssl x509 -noout -text -in <server certificate name>.pem

Verify Chain of Trust (Intermediate to Server)

openssl verify -CAfile <intermediate CA certificate name>.pem <server certificate>.pem
Sitemap