how to create a SSL certificate chain from my own CA?

ssl openssl tls certificate-authority self-signed-certificate

I use my own CA to create SSL certs for services in my infra. These certs are signed directly by my CA.

It comes to me that this is likely a weak strategy, as if the cert was to be compromised, I need to create new ones from the one CA. If the CA gets compromised, game over as every service will need to be updated.

So my understanding is that the typical way to 'protect' oneself and 'dilute' concern is to create a chain of certificates, and sign the service certificates with the end of the chain, so that if the signer gets compromised, the next level up can be used to create a new signing cert.

Do I get that right?

What I'd like to do then is create my own cert chain.

The whole TLS/SSL stuff is still a bit hazy to me, but as I can see, one first create a master key, with openssl genrsa then create a self-signed certificate using that key with openssl req -x509 -new to create the CA.

Then I can create new keys, and certificate signing requests with openssl req -new -key' and sign the request with my CA withopenssl x509 -req -CA ca.pem ...`

So, to create a certificate chain, what am supposed to do?

Do I simply create a new key, new signing request, and sign it with the last signed certificate instead of the CA? And so on until I have enough levels of protection, then sign all cert/key pairs with the lowest level cert?

This stuff is confusing and I'd like to get it right ;-)

Everything I find only about TLS is overwhelmingly complicated, while the 'simple' tutorials are obscure. I'm looking through the openssl man-pages but I'd like to get a simple explanation of the process, then I'll make sure to get each step right.

Thanks for your insight.


You sign an intermediate CA request with the root CA. With this signing certificate authority the root CA can remain offline.

The root CA can still be trusted and issue replacement signing CAs if necessary. The challenge then becomes issuing certificate revocations, especially if you don't control all clients.

The process is somewhat involved if you do it manually. See https://jamielinux.com/docs/openssl-certificate-authority/ for a guide.

Related

How to install nginx 1.9x with HTTP 2 support (1.95 or higher) on Ubuntu 15.10
AWS RDS keeps backing up my server on creation
What user should run the gunicorn process?
Running dmesg on Docker results in "dmesg: read kernel buffer failed: Permission denied"
Set up IIS as forward proxy for HTTPS requests
How to hash based on host + path in Varnish?
How does Docker work as far as being able to edit Apache config files and similar stuff?
Nginx point subdirectory to root
5 seconds for hostname -f and a strange DNS request
Why is my VM created in GCE asia-east1 is getting a US IP address?
Root-causing vastly different performance on iozone O_SYNC benchmark for two HDD manufacturers
Make Yum recognize that httpd24-httpd (from SCL) provides the webserver virtual package