2

Following this question I managed to create a number of certificates in a hierarchy of root, intermediate and end certificates:

# Create root RSA key pair of 1024 bits as well as a certificate signing request
openssl.exe req -new -newkey rsa:1024 -nodes -out caRoot.csr -keyout caRoot.key
# Create root certificate and store into .pem format
openssl x509 -trustout -signkey caRoot.key -days 365 -req -in caRoot.csr -out caRoot.pem
# Create intermediate certificate RSA key pair
openssl genrsa -out clientIntermediate.key 1024
# Create intermediate CSR
openssl req -new -key clientIntermediate.key -out clientIntermediate.csr
# Do the same thing for the end certificate
openssl req -new -keyout clientEnd.key -out clientEnd.csr -days 365
# Create a certificate request
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out clientEnd.pem -infiles clientEnd.request
# Create and sing certificate
openssl ca -policy anyPolicy -keyfile clientIntermediate.key -cert clientIntermediate.pem -out caRoot.pem -infiles clientEnd.csr

How is it possible to create a certificate chain as described above and store it entirely in PKCS#12 format?

Community
  • 1
Sebi
  • 1,134
  • 4
  • 19
  • 29
  • You've mangled some of the commands from that Q and produced an unusable mishmash. If you do generate a correct cert hierarchy, do you want ONLY the certs or do you want the 'leaf' privatekey WITH its cert chain, or as some say a 'certificate WITH privatekey'? PKCS#12 was designed for the latter, and that's what commandline `openssl` can create and other systems can import. If you want *only* a cert chain, the standard used for that is PKCS#7, which `openssl` can also do by a less obvious method: use `crl2pkcs7`, omit the CRL and add the certs. (Kind of like Jack Nicholson's toast.) – dave_thompson_085 Nov 10 '15 at 16:11
  • I definitely want the latter: leaf private key with its cert chain. How can I use crl2pkcs7 ? – Sebi Nov 10 '15 at 16:16

1 Answers1

1

The "latter" in my description, privatekey AND cert chain, is PKCS#12 as you originally asked. (PKCS#7 handles the case of ONLY cert chain.) To create PKCS#12 most simply, use the commandline operation pkcs12 with the -export option. There are several ways to combine the options of this command, but two simple ways for a 3-level scenario like yours (root, mid, leaf) are:

openssl pkcs12 -export -in leafcert.pem -inkey leafkey.pem -certfile midcert.pem -CAfile rootcert.pem -chain -out my.p12 

cat leafcert.pem leafkey.pem midcert.pem rootcert.pem | openssl pkcs12 -export -out my.p12

(substitute your filenames). Full details in the manpage, available on any Unix system where OpenSSL is (fully) installed or online at https://www.openssl.org/docs/man1.0.2/apps/pkcs12.html (or choose earlier version from https://www.openssl.org/docs/manpages.html if needed).

For completeness, if you do/did need the chain without the privatekey, it is

openssl crl2pkcs7 -nocrl -certfile leafcert.pem -certfile midcert.pem -certfile rootcert.pem -out my.p7b
dave_thompson_085
  • 2,910
  • 1
  • 15
  • 18