notes/divers/my_root_CA_generate_certificate.md

Issue a Server Certificate

Based on https://medium.com/@sureshchand.rhce/how-to-build-a-root-ca-intermediate-ca-with-openssl-eba1c73d1591

Create server key

openssl genpkey -algorithm RSA \
  -out exegol.swgalaxy.key.pem \
  -pkeyopt rsa_keygen_bits:2048

Create CSR with SAN

Define a configuration file for the CSR exegol.swgalaxy.cnf:

[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[ req_distinguished_name ]
C = FR
ST = Yvelines
L = Le Vesinet
O = swgalaxy
OU = swgalaxy servers
CN = exegol.swgalaxy

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol

Create thr CSR:

openssl req -new -key exegol.swgalaxy.key.pem \
  -out exegol.swgalaxy.csr.pem \
  -config exegol.swgalaxy.cnf

Sign with Intermediate CA

Update server_cert extension on intermediate CA configuration file /app/pki/intermediate/openssl.cnf:

[ server_cert ]
# Basic identity
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

# Server certificates must NOT be CA certificates
basicConstraints = critical, CA:FALSE

# Key usage: what the certificate is allowed to do
keyUsage = critical, digitalSignature, keyEncipherment

# Extended key usage: define this as a TLS server certificate
extendedKeyUsage = serverAuth

# Allow SANs (modern TLS requires SANs)
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = exegol.swgalaxy
DNS.2 = exegol

Sign the certificate with intermediate CA:

openssl ca -config /app/pki/intermediate/openssl.cnf \
  -extensions server_cert \
  -days 3650 -notext -md sha256 \
  -in exegol.swgalaxy.csr.pem \
  -out /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem

Verify the chain

openssl verify \
  -CAfile /app/pki/intermediate/certs/ca-chain.cert.pem \
  /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem

Verify the certificate

openssl x509 -text -noout \
  -in /app/pki/intermediate/certs/exegol.swgalaxy.cert.pem