Generating the ASP certificate: Certificate chain with two levels

This procedure describes the steps you should perform to generate a certificate chain consisting of two levels, i.e. a root certificate and leaf certificate.

Before you begin

This procedure assumes that you are using OpenSSL.

Generating a certificate chain with two levels (manually)

  1. Create an OpenSSL extension file for the leaf certificate, i.e. leaf.ext, containing the following content:

    1. [ server ]
    2. keyUsage = critical,digitalSignature,keyEncipherment
    3. extendedKeyUsage = clientAuth
    4. basicConstraints = critical,CA:FALSE
    5. subjectKeyIdentifier = hash
    6. authorityKeyIdentifier = keyid,issuer:always

    This will ensure that the leaf certificate can be used for TLS web client authentication.

  2. Generate a root key pair and self-signed root certificate using OpenSSL:

    1. Execute the following command:

      openssl req ‑x509 ‑newkey rsa:2048 ‑keyout asp_root_key.pem ‑out asp_root_crt.pem ‑sha256 ‑days 3650

      where:

      • asp_root_key.pem is a PEM file containing the ASP key pair.
      • asp_root_crt.pem is a PEM file containing the ASP certificate.
    2. Provide a password to protect the private key, and confirm this password.

      Generating a 2048 bit RSA private key
      ................+++
      ..............+++
      writing new private key to 'asp_root_key.pem'
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:

      Select a sufficiently strong password and ensure that the password is safeguarded appropriately.

    3. You will also be requested to provide some information to identify yourself. This information will be included in the ASP certificate:

      -----
      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:

      The ASP certificate will have a lifetime of ten years.

  3. Generate a leaf key pair using OpenSSL using the following command:

    openssl genrsa ‑out asp_leaf_key.pem 2048

    where:

    • asp_leaf_key.pem is a PEM file containing the ASP leaf key pair.

    When you execute this command, you should see following output:

    Generating RSA private key, 2048 bit long modulus
    ...................+++
    .....................+++
    e is 65537 (0x010001)

  4. Generate a certificate signing request (CSR) for the leaf public key:

    1. Execute the following command:

      openssl req ‑new ‑key asp_leaf_key.pem ‑out asp_leaf_csr.csr ‑sha256

      where:

      • asp_leaf_csr.csr is the certificate signing request.
    2. You will also be requested to provide some information to identify yourself. This information will be included in the ASP leaf certificate:

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

  5. Generate the leaf certificate from the certificate signing request (CSR):

    1. Execute the following command:

      openssl x509 ‑req ‑CA asp_root_crt.pem ‑CAkey asp_root_key.pem ‑days 1825 ‑set_serial 1 ‑in asp_leaf_csr.csr ‑out asp_leaf_crt.pem ‑sha256 ‑extfile leaf.ext ‑extensions server

      where:

      • asp_leaf_crt.pem is a PEM file containing the ASP leaf certificate.
    2. Provide the password for the ASP root private key in order to sign the leaf certificate.

      Signature ok
      subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
      Getting CA Private Key
      Enter pass phrase for asp_root_key.pem:

    The ASP leaf certificate will have a lifetime of five years.