[gnutls-help] Generating multi-layer certificates

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 16 19:00:23 CEST 2013

On 10/16/2013 11:02 AM, Juan Miscaro wrote:
> Hello.  Would someone be so kind as to provide assistance in generating
> multi-layer certificates?  I am doing some research and would like to
> generate a self-signed CA, a few intermediate certificates, and then a
> server certificate.  Most of what I've seen on the internet has to do with
> the openssl command but I want to use the certtool command.  Thanks for any
> help in this important matter.

If you're controlling all the keys, you don't need to bother with CSRs,
and can just make the certificates directly.

You can generate a secret key with:

 certtool --generate-privkey

This will print the PEM-encoded key to stdout, so redirect that to the
file you want to create.

for example:

 certtool --generate-privkey > root-ca.key
 certtool --generate-privkey > intermediate-ca.key
 certtool --generate-privkey > end-entity.key

extract the public keys from the intermediate and the EE and set them aside:

 certtool --load-privkey intermediate-ca.key \
    --pubkey-info > intermediate-ca.pubkey
 certtool --load-privkey end-entity.key \
    --pubkey-info > end-entity.pubkey

For the root CA, you want to create a self-signed cert:

 certtool --load-privkey=root-ca.key --generate-self-signed >root-ca.pem

You will be prompted to answer some questions.  feel free to leave the
irrelevant ones blank, or choose the defaults.  Make sure you answer "y"
to "Does the certificate belong to an authority?" and "Will the
certificate be used to sign other certificates?"

To create the certificate for the intermediate CA, you want to want to
issue it with the root CA's key:

 certtool --load-ca-privkey=root-ca.key \
   --load-ca-certificate=root-ca.pem \
   --load-pubkey=intermediate-ca.pubkey \
   > intermediate-ca.pem

You will also be prompted to answer some questions here.

Now you can create the end entity's certificate, using the intermediate
CA's key:

 certtool --load-ca-privkey=intermediate-ca.key \
   --load-ca-certificate=intermediate-ca.pem \
   --load-pubkey=end-entity.pubkey \
   > end-entity.pem

answer the questions appropriate for the end-entity. in particular, you
probably want the Common Name to be the server's canonical name (e.g.
"example.com", without the quotes), and you want to enter a "dnsName"
for each and every name the server is addressed by, including the
canonical name (e.g. "example.com" and then when prompted again,
"www.example.com" -- you can keep adding subjectAltNames like this until
you enter a blank name, and then the prompting will continue).

If you want to automate much of this, or you don't want to deal with the
prompting, you can supply a template file to any of these commands with
--template=FILENAME.  Check out the example template file in
/usr/share/doc/gnutls-bin/examples/certtool.cfg (or wherever your
distribution places it) to see the structure and format of the file.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131016/5d96e578/attachment.sig>

More information about the Gnutls-help mailing list