Create Root CA (self-signed):
Let's have a look at the options in detail:
- x509 identifies that a certificate is required, rather than just a certificate request (see below).
- days 30000 sets the certificate to expire in a 30000 days. You may want to extend this period. Make a note of the expiry date so that you can renew it when necessary!
- sha1 specifies that SHA1 encryption should be used.
rsa:2048 sets the key as 2048 bit RSA.
- nodes specifies no passphrase.
- keyout and -out specify where to store the certificate and key. The key should be root-readable only; the certificate can be world-readable, and must be readable by the user that Apache runs as.
- subj flag sets the company name, department name, and the web site address. If you leave these out, you'll be prompted for them. The CN must be the same as the address of your web site, otherwise the certificate won't match and users will receive a warning when connecting. Make sure you don't use a challenge password.
Create it :
sudo openssl req -x509 -nodes -newkey rsa:2048 -sha1 -keyout rootkey.key -out rootca.crt -passin pass:root -days 30000 -subj "/C=DU/ST=Dubai/L=TownCenter/O=AmesCom/CN=AmesCom Int" -config openssl.cnf.my
Encrypt the key manually :
key is not encrypted because of -nodes option , so we encrypt it manually :
sudo cp rootkey.key rootkey.key.org
sudo openssl rsa -in rootkey.key.org -out rootkey.key
Test it :
for testing immediately , you may follow two ways :
openssl x509 -text -noout -in rootca.crt
or examine its contents on browser :
cp rootca.crt /var/www/html/
from browser ask for address :
http://yourserverdomain/rootca.crt
Now you can create certificate requests and sign them with this self-signed certificate
Best Answer
I'm not absolutely sure, but since nobody else is answering here's my take.
The only entity which is able to sign certificates is a CA. There are different levels of CAs, so you could in theory set up your own CA subordinate to CaCert (and hence have it have its own CA cert signed by CaCert). This would make normal certificates you would be signing participate in the chain of trust of length 3 (rather than two).
From what I gather from this page, it's somehow possible to become a "CACert member" and get what they call "subroot" certificate — this one would allow you to sign your own certificates and make them trusted by anyone trusting the root CACert certificate (provided you also make available the certificate of your subordinate CA in one way or another — for instance, a server using PEM-formatted certificates might use a certificate file which is merely a concatenation of both the server's certificate and the CA certificate in PEM format).
My personal experience with this kind of setup was this: some time ago the xmpp.net federation provided paid-free certificates for any XMPP server whose admin wished to get one. That federation was itself a CA subordinate to StartCom. So after getting my server certificate I needed to tell my server to present both its own cert and the xmpp.net cert in one bundle to make the trust chain complete for its clients as they would usually trust StartCom but not xmpp.net.