divers/my_root_CA_generate_certificate.md

# Issue a Server Certificate

> Based on https://medium.com/@sureshchand.rhce/how-to-build-a-root-ca-intermediate-ca-with-openssl-eba1c73d1591

## Create server key
``` bash
openssl genpkey -algorithm RSA \
  -out exegol.swgalaxy.key.pem \
  -pkeyopt rsa_keygen_bits:2048
```

## Create CSR with SAN

Define a configuration file for the CSR `exegol.swgalaxy.cnf`:
```
[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[ req_distinguished_name ]
C = FR
ST = Yvelines
L = Le Vesinet
O = swgalaxy
OU = swgalaxy servers
CN = exegol.swgalaxy

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol
```

Create thr CSR:

``` bash
openssl req -new -key exegol.swgalaxy.key.pem \
  -out exegol.swgalaxy.csr.pem \
  -config exegol.swgalaxy.cnf
```


## Sign with Intermediate CA

Update `server_cert` extension on **intermediate CA** configuration file `/app/pki/intermediate/openssl.cnf`:
```
[ server_cert ]
# Basic identity
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

# Server certificates must NOT be CA certificates
basicConstraints = critical, CA:FALSE

# Key usage: what the certificate is allowed to do
keyUsage = critical, digitalSignature, keyEncipherment

# Extended key usage: define this as a TLS server certificate
extendedKeyUsage = serverAuth

# Allow SANs (modern TLS requires SANs)
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol
```

Sign the certificate with **intermediate CA**:

``` bash
openssl ca -config /app/pki/intermediate/openssl.cnf \
  -extensions server_cert \
  -days 3650 -notext -md sha256 \
  -in exegol.swgalaxy.csr.pem \
  -out /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```

## Verify the chain

``` bash
openssl verify \
  -CAfile /app/pki/intermediate/certs/ca-chain.cert.pem \
  /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```

## Verify the certificate

``` bash
openssl x509 -text -noout \
  -in /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem
```
2026-03-12 21:01:38 2026-03-12 22:01:38 +01:00			`# Issue a Server Certificate`

			`> Based on https://medium.com/@sureshchand.rhce/how-to-build-a-root-ca-intermediate-ca-with-openssl-eba1c73d1591`

			`## Create server key`
			``` bash
			`openssl genpkey -algorithm RSA \`
			`-out exegol.swgalaxy.key.pem \`
			`-pkeyopt rsa_keygen_bits:2048`
			```

			`## Create CSR with SAN`

			Define a configuration file for the CSR `exegol.swgalaxy.cnf`:
			```
			`[ req ]`
			`distinguished_name = req_distinguished_name`
			`req_extensions = req_ext`
			`prompt = no`

			`[ req_distinguished_name ]`
			`C = FR`
			`ST = Yvelines`
			`L = Le Vesinet`
			`O = swgalaxy`
			`OU = swgalaxy servers`
			`CN = exegol.swgalaxy`

			`[ req_ext ]`
			`subjectAltName = @alt_names`

			`[ alt_names ]`
			`DNS.1 = exegol.swgalaxy`
			`DNS.2 = exegol`
			```

			`Create thr CSR:`

			``` bash
			`openssl req -new -key exegol.swgalaxy.key.pem \`
			`-out exegol.swgalaxy.csr.pem \`
			`-config exegol.swgalaxy.cnf`
			```


			`## Sign with Intermediate CA`

			Update `server_cert` extension on intermediate CA configuration file `/app/pki/intermediate/openssl.cnf`:
			```
			`[ server_cert ]`
			`# Basic identity`
			`subjectKeyIdentifier = hash`
			`authorityKeyIdentifier = keyid,issuer`

			`# Server certificates must NOT be CA certificates`
			`basicConstraints = critical, CA:FALSE`

			`# Key usage: what the certificate is allowed to do`
			`keyUsage = critical, digitalSignature, keyEncipherment`

			`# Extended key usage: define this as a TLS server certificate`
			`extendedKeyUsage = serverAuth`

			`# Allow SANs (modern TLS requires SANs)`
			`subjectAltName = @alt_names`

			`[ alt_names ]`
			`DNS.1 = exegol.swgalaxy`
			`DNS.2 = exegol`
			```

			`Sign the certificate with intermediate CA:`

			``` bash
			`openssl ca -config /app/pki/intermediate/openssl.cnf \`
			`-extensions server_cert \`
			`-days 3650 -notext -md sha256 \`
			`-in exegol.swgalaxy.csr.pem \`
			`-out /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem`
			```

			`## Verify the chain`

			``` bash
			`openssl verify \`
			`-CAfile /app/pki/intermediate/certs/ca-chain.cert.pem \`
			`/app/pki/intermediate/certs/exegol.swgalaxy.cert.pem`
			```

			`## Verify the certificate`

			``` bash
			`openssl x509 -text -noout \`
			`-in /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem`
			```