tls_docs/ca/certificate_signing.md

# Signing certificates for users and servers

Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Verify the CSR` section. ***IT IS IMPORTANT TO INSPECT CSRs PROVIDED EXTERNALLY BEFORE SIGNING EVEN THOUGH THE CERTIFICATE CAN BE INSPECTED BEFORE SIGNING***.

### Generate the key (the -aes256 can be omitted to not require a password)
```
cd intermediate_ca
openssl genrsa -out private/server.key 2048
chmod 400 private/server.key
```

### Generate the CSR
```
openssl req -config intermediate.cnf -key private/server.crt -new -sha256 -out csr/server.csr
```

### Sign the certificate using the proper extension for the CSR to be signed, using the intermediate.cnf configuration. The example below uses the `server_cert` extension.
```
openssl ca -config intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/server.csr -out certs/server.crt
chmod 444 certs/server.crt
```

Alternatively, and recommended, certificate can be created with one or more, usually more, Subject Alternative Names (SAN) as other means of identifying a server. This useful when you want to refer to a server by different names, such as its hostname and FQDN and IP address or the server is part of a load balanced cluster so there is a need to refer to the load balancer IP or FQDN

### Generating the CSR with SAN(s) depending on the where the csr is being created, sudo su -c with the command in ' ' may be required.

Edit the *-subj* and *[SAN]* sections as necessary
```
openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=2LetterCountry/ST=YourStateorProvince/L=YourCityOrLocality/O=YourOrg/OU=YourOU/CN=example.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
    <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1")) \
    -out domain.csr # provide this to the CA for signing
```

### Verify the CSR

```
openssl req -in csr/server.csr -noout -text
```

### Sign the certificate
```
openssl ca -config intermediate.cnf -extensions server_cert -days <#-of-days> -notext -md sha256 -in csr/server.csr -out certs/server.crt 

```

The certificate to be signed will be sent to stdout after providing the password, which can be inspected to ensure it is correct. Select y to sign it and y again to add to the index database

### Verify the certificate and trust chain
```
openssl verify -CAfile certs/ca-bundle.crt certs/server.crt
```
The `verify` command should return OK, verifying the trust chain.

### Create the certificate archive bundle and transfer to the server/user if the CSR is is provided, a key will not be bundled, as it will reside with the server or the user. Use the desired transfer method to move the TLS bundle to the desired location
```
tar cvzf bundles/server-or-user.tar.gz certs/server-or-user certs/ca-bundle.crt (private/server-or-user.key added if key was created by the CA).
```
initial commit 2025-11-07 03:44:26 +00:00			`# Signing certificates for users and servers`

small grammar fix 2026-02-28 23:13:45 +00:00			Certificate Signing Requests (CSR) can for servers/user can be provided by the system owners or the users. This retains the privacy of the private key. The steps to create key, CSR, and certificate on the CA will be outlined here. If a CSR is provided, skip to the `Verify the CSR` section. *IT IS IMPORTANT TO INSPECT CSRs PROVIDED EXTERNALLY BEFORE SIGNING EVEN THOUGH THE CERTIFICATE CAN BE INSPECTED BEFORE SIGNING*.
initial commit 2025-11-07 03:44:26 +00:00
			`### Generate the key (the -aes256 can be omitted to not require a password)`
			```
			`cd intermediate_ca`
			`openssl genrsa -out private/server.key 2048`
			`chmod 400 private/server.key`
			```

			`### Generate the CSR`
			```
			`openssl req -config intermediate.cnf -key private/server.crt -new -sha256 -out csr/server.csr`
			```

			### Sign the certificate using the proper extension for the CSR to be signed, using the intermediate.cnf configuration. The example below uses the `server_cert` extension.
			```
			`openssl ca -config intermediate.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/server.csr -out certs/server.crt`
			`chmod 444 certs/server.crt`
			```

			`Alternatively, and recommended, certificate can be created with one or more, usually more, Subject Alternative Names (SAN) as other means of identifying a server. This useful when you want to refer to a server by different names, such as its hostname and FQDN and IP address or the server is part of a load balanced cluster so there is a need to refer to the load balancer IP or FQDN`

			`### Generating the CSR with SAN(s) depending on the where the csr is being created, sudo su -c with the command in ' ' may be required.`

			`Edit the -subj and [SAN] sections as necessary`
			```
			`openssl req -new -sha256 \`
			`-key domain.key \`
			`-subj "/C=2LetterCountry/ST=YourStateorProvince/L=YourCityOrLocality/O=YourOrg/OU=YourOU/CN=example.com" \`
			`-reqexts SAN \`
			`-config <(cat /etc/ssl/openssl.cnf \`
			`<(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1")) \`
			`-out domain.csr # provide this to the CA for signing`
			```

fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying 2026-02-28 23:03:36 +00:00			`### Verify the CSR`

initial commit 2025-11-07 03:44:26 +00:00			```
fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying 2026-02-28 23:03:36 +00:00			`openssl req -in csr/server.csr -noout -text`
initial commit 2025-11-07 03:44:26 +00:00			```

			`### Sign the certificate`
			```
fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying 2026-02-28 23:03:36 +00:00			`openssl ca -config intermediate.cnf -extensions server_cert -days <#-of-days> -notext -md sha256 -in csr/server.csr -out certs/server.crt`
initial commit 2025-11-07 03:44:26 +00:00
fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying 2026-02-28 23:03:36 +00:00			```
initial commit 2025-11-07 03:44:26 +00:00
fixed the signing command to add to the proper index and updated the intermediate.cnf with extension copying 2026-02-28 23:03:36 +00:00			`The certificate to be signed will be sent to stdout after providing the password, which can be inspected to ensure it is correct. Select y to sign it and y again to add to the index database`
initial commit 2025-11-07 03:44:26 +00:00
			`### Verify the certificate and trust chain`
			```
fixed certificate verify and bundle commands 2025-11-18 03:56:17 +00:00			`openssl verify -CAfile certs/ca-bundle.crt certs/server.crt`
initial commit 2025-11-07 03:44:26 +00:00			```
			The `verify` command should return OK, verifying the trust chain.

			`### Create the certificate archive bundle and transfer to the server/user if the CSR is is provided, a key will not be bundled, as it will reside with the server or the user. Use the desired transfer method to move the TLS bundle to the desired location`
			```
fixed certificate verify and bundle commands 2025-11-18 03:56:17 +00:00			`tar cvzf bundles/server-or-user.tar.gz certs/server-or-user certs/ca-bundle.crt (private/server-or-user.key added if key was created by the CA).`
initial commit 2025-11-07 03:44:26 +00:00			```