Option 3: Three-Level Certificate Chain

This procedure describes the steps that you need to complete to generate a certificate chain that consists of three levels: a root certificate, an intermediate certificate, and a leaf certificate.

Before you begin

This procedure assumes that you are using OpenSSL.

Generate a three-level certificate chain

To generate a certificate chain with three levels (manually)

1. Create an OpenSSL extension file for the intermediate certificate, i.e. intermediate.ext, which contains the following content:

   [ server ]
   # X509 extensions for a CA
   basicConstraints = critical,CA:TRUE
   keyUsage = keyCertSign, cRLSign
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer:always

   This ensures that the intermediate certificate can be used to issue other certificates.

2. Create an OpenSSL extension file for the leaf certificate, i.e. leaf.ext, which contains the following content:

   [ server ]
   keyUsage = critical,digitalSignature,keyEncipherment
   extendedKeyUsage = clientAuth
   basicConstraints = critical,CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer:always

   This ensures that the leaf certificate can be used for TLS web client authentication.

3. Generate a root key pair and a self-signed root certificate with OpenSSL.

   1. Run the following command:

      openssl req ‑x509 ‑newkey rsa:2048 ‑keyout asp_root_key.pem ‑out asp_root_crt.pem ‑sha256 ‑days 3650

      where:

      • asp_root_key.pem is a PEM file that contains the ASP root key pair.

      • asp_root_crt.pem is a PEM file that contains the ASP root certificate.

   2. Provide a password to protect the private key, and confirm this password.

      Generating a 2048 bit RSA private key
      ................+++
      ..............+++
      writing new private key to 'asp_root_key.pem'
      Enter PEM pass phrase:
      Verifying - Enter PEM pass phrase:

      Select a sufficiently strong password and ensure that the password is safeguarded appropriately.

   3. You will also be requested to provide some information to identify yourself. This information will be included in the ASP certificate:

      -----
      You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:

      The ASP certificate will expire after ten years.

4. Run the following command to generate an intermediate key pair:

   openssl genrsa ‑out asp_subca_key.pem 2048

   where asp_subca_key.pem is a PEM file that contains the intermediate key pair.

   When you run this command, you should see the following output:

   Generating RSA private key, 2048 bit long modulus
   ...................+++
   .....................+++
   e is 65537 (0x010001)

5. Generate a certificate signing request (CSR) for the intermediate public key.

   1. Run the following command:

      openssl req ‑new ‑key asp_subca_key.pem ‑out asp_subca_csr.csr ‑sha256

      where asp_subca_csr.csr is the certificate signing request.

   2. You will also be requested to provide some information to identify yourself. This information will be included in the ASP intermediate certificate:

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

6. Generate the intermediate certificate from the certificate signing request (CSR).

   1. Run the following command:

      openssl x509 ‑req ‑CA asp_root_crt.pem ‑CAkey asp_root_key.pem ‑days 3650 ‑set_serial 1 ‑in asp_subca_csr.csr ‑out asp_subca_crt.pem ‑sha256 ‑extfile intermediate.ext ‑extensions server

      where asp_subca_crt.pem is a.PEM file that contains the ASP intermediate certificate.

   2. Provide a password for the ASP root private key in order to sign the leaf certificate.

      Signature ok
      subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
      Getting CA Private Key
      Enter pass phrase for asp_root_key.pem:

      The ASP intermediate certificate will expire after ten years.

7. Run the following command to generate a leaf key pair:

   openssl genrsa ‑out asp_leaf_key.pem 2048

   where asp_leaf_key.pem is a PEM file that contains the ASP leaf key pair.

   Generating RSA private key, 2048 bit long modulus
   ...................+++
   .....................+++
   e is 65537 (0x010001)

8. Generate a certificate signing request (CSR) for the leaf public key.

   1. Run the following command:

      openssl req ‑new ‑key asp_leaf_key.pem ‑out asp_leaf_csr.csr ‑sha256

      where asp_leaf_csr.csr is the certificate signing request.

   2. You will also be requested to provide some information to identify yourself. This information will be included in the ASP leaf certificate:

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:
      Email Address []:
      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

9. Generate the leaf certificate from the certificate signing request (CSR).

   1. Run the following command:

      openssl x509 ‑req ‑CA asp_root_crt.pem ‑CAkey asp_root_key.pem ‑days 1825 ‑set_serial 1 ‑in asp_leaf_csr.csr ‑out asp_leaf_crt.pem ‑sha256 ‑extfile leaf.ext ‑extensions server

      where asp_leaf_crt.pem is a PEM file that contains the ASP leaf certificate.

   2. Provide the password for the ASP root private key in order to sign the leaf certificate.

      Signature ok
      subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
      Getting CA Private Key
      Enter pass phrase for asp_root_key.pem:

   The ASP leaf certificate will expire after five years.