SSL sign certificate with existing certificate

by László Stahorszki   Last Updated July 11, 2019 20:00 PM

I have an SSL certificate from sslforfree. I have the ca-bundle, certificate and its private key.

I'd like to create my own certificate, for different subdomains. My hope is that somehow, I can sign that certificate with my existing certificates in a way, that it'll pass all those ssl checks that browsers and mail clients, and others do.

I followed through dozens of tutorials, but either I'm missing an important nuance, or those tutorials are not what I want.

Can anybody help me, how can I sign my new certificates with openssl from CentOS 7?

Answers 2

Technically, you can do that, but no one will trust these certificates. Your SSL certificate is *NOT ALLOWED* to sign other certificates.

If you look at your certificate you may find a Basic Constraints certificate extension that tells about the subject type: end entity or CA. isCA bit will be set to 0, implying that the holder of the certificate is end entity. Certificate validation code will strictly check this field and if they find that end entity certificate was used to sign other certificates, they will be automatically rejected. For reference: RFC 5280 ยง4.2.1.9

July 11, 2019 19:46 PM

Look at your cert with a command like this openssl x509 -text -in filename. See the CA:FALSE? That is a flag that says the certificate cannot be used to as a CA, or to sign subordinate certificates.

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
            Not Before: Jul  8 22:26:53 2019 GMT
            Not After : Oct  6 22:26:53 2019 GMT
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical

No CA from a trusted root is going to give you a cert with that enabled. If they did, you would be able to MITM anyone in the world.

I'd like to create my own certificate, for different subdomains.

Just use letsencrypt. You can get all the free certs you want for domains that you can validate either by DNS, or an HTTP challenge. You can use the official client, or third party clients. There is lots of easy to use clients for Letsencrypt.

July 11, 2019 19:49 PM

Related Questions

Updated May 09, 2017 17:00 PM

Updated May 31, 2019 16:00 PM

Updated March 26, 2015 09:00 AM

Updated December 03, 2015 11:00 AM