OpenSSL: Create a self-signed CA with many intermediate certificate levels
I'd like to build my own self-signed CA structure to use in my applications. The idea is presented by the following picture:
So, to summarize it, I want a CA that has several levels of intermediate certificates.
For instance I want to create a Root CA that signs all of my apps and then create an intermediate cert for my first app APP_1. This app is used by several companies so I want that every company has it's own intermediate cert just for them which is signed by APP_1 (you can imagine this intermediate cert as a "child" of APP_1 cert). Company intermediate cert then signs end-user's certificate which he uses on his device.
Is it possible to create this cert hierarchy scheme with OpenSSL?
I've tried to create an example of this scheme and it went well until I tried to verify Company_1 intermediate cert. The verification with the chain was successful, but the verification with the intermediate cert that created this one failed. The command that fails is this one:
openssl verify -CAfile /CA/app_1/certs/app_1.cert.pem /CA/app_1/company_1/certs/company_1.cert.pem
The error is as it follows:
error 2 at 1 depth lookup: unable to get issuer certificate
error /CA/app_1/company_1/certs/company_1.cert.pem: verification failed
What am I doing wrong? Should I also verify the Company_1 intermediate with Root CA as I do with APP_1?
openssl verify by default wants to build the full chain. But you only provide the leaf certificate and the chain certificate and not the root certificate (which is signed by itself). To accept a chain certificate as the final trust anchor instead of a root certificate use the -partial_chain option:
$ openssl verify -partial_chain -CAfile app_1.cert.pem company_1.cert.pem
- Curl: Fix CURL (51) SSL error: no alternative certificate subject name matches
- How to disable SSL verification in Spring Vault
- gitea using a normal user and https
- Is possible to use Amazon Elastic Beanstalk with SSL (HTTPS) without a Load Balancer?
- Received fatal alert: bad_certificate
- Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
- Reason to disable CSRF in spring boot
- Composer : SSL certificate problem: unable to get local issuer certificate
- Unable to verify leaf signature
- Java Keytool error after importing certificate , "keytool error: java.io.FileNotFoundException & Access Denied"
- SSL, Connection is not secure
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Cannot figure out why DTLS handshake does not complete
- file_get_contents(): SSL operation failed with code 1, Failed to enable crypto
- How to Check Subject Alternative Names for a SSL/TLS Certificate?
- Self-Signed CA Certificates Rejected by Android
- AWS Java SDK SSL Certificates
- How to use awx cli?
- nodejs environment variable "NODE_EXTRA_CA_CERTS"
- How to connect to MongoDB with certificate using DataGrip?
- Insomnia : Error: SSL peer certificate or SSH remote key was not OK
- AWS EC2 Spring Boot Deployment - SSL/HTTPS Error after Configuring Route 53, ACM, and GoDaddy
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- Implicitly trust SSL certificates in iOS app for private API
- Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
- Docker not able to pull images behind proxy TLS handshake timeout
- How come I can make SSL connections to AWS Postgre RDS, when the ca certificate already expired?
- HTTP to HTTPS Nginx too many redirects
- curl error 60 while downloading https://repo.packagist.org Certificate issue on Ubuntu?
- nginx the "ssl" directive is deprecated, use the "listen ... ssl"