Issue Certificates

Lars Jönsson 2025-11-15

Issue certificates using a private Certificate Authority.

Overview

This guides uses a private CA according to the setup in Install Certificate Authority (CA).

The certificates of the Issuer CA is rather long lived, which means that the same version of the Issuer certificate may be used multiple times for signing certificates for the same user. Each issued certificate includes a version number to differentiate certificates for the same user, e.g. example-v2.1-2.crt.

The format is:

<name>-<issuer-ver>-<seq.no>.crt
  • name: Name of the certificate
  • issuer-ver: Version of the Issuer CA
  • seq-no: Sequence number for this certificate of the version of the Issuer CA

The Certficate Signing Request (CSR) also includes a sequence number, e.g. example-2.csr. The same CSR can be reused when a issuing a new certificate, but normally a new CSR is used.

Usage of the Issuer CA

Preparation

Setup some environment variables to simply the signing.

DOMAIN=<domain-name>
CERT=<cert-name>
  • domain-name: Domain name of the CA, e.g. example.com
  • cert-name: File name of the certificate, e.g. cert.example.com

Check if any CSR is already avalable.

ls ~/CA/${DOMAIN}.ca/issuer-ca/certreqs/${CERT}*

Set the CSR sequence number to the next available. Use 1 if this is the first CSR.

SEQ_CSR=1

Check if any certificate is already avalable.

ls ~/CA/${DOMAIN}.ca/issuer-ca/certs/${CERT}*

Set the certificate sequence number to the next available. Use 1 if this is the first certificate.

SEQ_CRT=1

Create certificate

Go the Issuer CA and retrieve its version.

cd ~/CA/${DOMAIN}.ca/issuer-ca
VER=`readlink ${PWD} | awk -F- '{print $NF}'`

Setup the names of the CSR and certificate files.

CSR=${CERT}-${SEQ_CSR}.csr
CRT=${CERT}-${VER}-${SEQ_CRT}.crt

Copy the CSR to the CA

cp .../<csr-file> ~/CA/${DOMAIN}.ca/issuer-ca/certreqs/${CSR}

Invoke the configuration and update the serial number.

export OPENSSL_CONF=./intermed-ca.cnf
openssl rand -hex 16 > intermed-ca.serial

Sign the certificate

  • When SAN (Subject Alternative Name) is set in the CSR

    openssl ca -notext -in certreqs/${CSR} -out certs/${CRT} -extensions server_ext

  • When SAN is missing in the CSR

    ALTNAME=DNS:<hostname-1>,DNS:<hostname-2>,IP:<ip-adress> \
openssl ca -notext -in certreqs/${CSR} -out certs/${CRT} -extensions server_ext_san

    The Common Name (CN) of the CSR is usually used as the SAN and can be retrieved with the following command

    openssl req -noout -subject -in certreqs/${CSR} | sed -n '/^subject/s/^.*CN\s*=\s*//p'

Copy the certificate to the user

cp ~/CA/${DOMAIN}.ca/issuer-ca/certs/${CRT} <user-location>