0
votes

I'm trying to generate a certificate for an intermediate-ca with openssl which is signed by my own root ca. The root ca certificate is v3, but when I try to generate a csr for the intermediate-ca, openssl always generates a v1 certificate, which is also not allowed to sign other certificates.

The commands I used to generate a signed certificate (for the intermediate ca):

openssl genrsa -aes256 –out key.pem 4096

openssl req -new –key key.pem –out request.csr -reqexts v3_ca -extensions v3_ca

openssl x509 –req –days 365 –in request.csr –CA ca-root.pem –CAkey ca-key.pem -CAcreateserial –out certificate.pem -sha512 -extensions v3_ca

I have the version OpenSSL 1.1.0f on Windows and I didn't changed my configuration file.

Thanks for your help!

1

1 Answers

0
votes

Use "openssl ca" command instead to signing csr with your ca certificate. Set parameters you need(extensions, validity, etc). It's easier if you have set ca section in your openssl configuration file, then you can add -batch parameter and command should run without asking any input or option.