Table of Contents / Create the Signing CA
-
To create the Signing CA private key:
cd into the folder:
cd C:\Certificates\DoD\CA\SigningCreate the private key:
openssl genrsa -aes256 -out private/signing.key 4096Enter a strong password
-
Create a signing request for the root CA to sign your signingCA cert:
openssl req -config signingca.cnf -new -sha256 -key private/signing.key -out csr/signing.csr.pemMost of the options need to match the Root CA.
Common Name, however must be different than the Root CA, useDoD Signing CAforCommon Name. -
Now to create the signingCA public Key, you must sign it using the root CA.
cd back into the Root CA folder:
cd .. -
Create the cert using the CSR:
openssl ca -config rootca.cnf -extensions v3_intermediate_ca -days 730 -notext -md sha256 -in Signing/csr/signing.csr.pem -out Signing/public/signing.cerNote: You need to enter the Root CA's password here because the Root CA is signing the Intermediate CA.
Select
yto sign the certificate.Select
yto commit the certificate into the database.This will create the cert, and add the cert to the index, if its the first one it will throw a minor error and then create the index for you.
-
Verify the CERT:
cd back into the signing directory:
cd Signing openssl x509 -noout -text -in public/signing.cer
Next: Create a Client Certificate
Table of Contents / Create the Signing CA