Create 4 Cross-Signed CA’s
This is just an exercise to help me grasp some more advanced CA knowledge. It’s worth noting I have no idea what I’m doing here.
We will be creating 4 CA’s:
EC 256
EC 384
RSA
ED25519
Directory Structure
Let’s make the directory layout to keep things tidy.
mkdir ca; cd ca
mkdir config root_ca1_ecdsa root_ca2_ecdsa root_ca3_rsa root_ca4_ed25519 \
intermediate_ca1 intermediate_ca2 intermediate_ca3 intermediate_ca4
Create openssl config files
The root CA config file
cat << EOF > config/root_ca.cnf
[req]
distinguished_name = req_dn
x509_extensions = v3_ca
prompt = no
[req_dn]
C = US
ST = California
L = Venice Beach
O = Pwned Global
CN = Pwned Global Root CA
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
The intermediate CA config file
cat << EOF > config/intermediate_ca.cnf
[req]
distinguished_name = req_dn
x509_extensions = v3_ca
prompt = no
[req_dn]
C = US
ST = California
L = Venice Beach
O = Pwned Global
CN = Pwned Global Intermediate CA
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
The Cross Sigh config file
cat << EOF > config/cross_sign.cnf
[req]
distinguished_name = req_dn
x509_extensions = v3_ca
prompt = no
[req_dn]
C = US
ST = California
L = Venice Beach
O = Pwned Global
CN = Pwned Global Root CA
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
Create the initial root CA’s
CA1: EC256
openssl ecparam -name secp256r1 -genkey -out ca1.key
openssl req -x509 -new -nodes -key ca1.key -sha512 -days 14600 -out ca1.crt -config ../config/root_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA1 ECDSA"
CA2: EC384
cd ../root_ca2_ecdsa
openssl ecparam -name secp384r1 -genkey -out ca2.key
openssl req -x509 -new -nodes -key ca2.key -sha512 -days 14600 -out ca2.crt -config ../config/root_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA2 ECDSA"
CA3: RSA
cd ../root_ca3_rsa
openssl genrsa -out ca3.key 4096
openssl req -x509 -new -nodes -key ca3.key -sha512 -days 14600 -out ca3.crt -config ../config/root_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA3 RSA"
CA4: ED25519
cd ../root_ca4_ed25519
openssl genpkey -algorithm ED25519 -out ca4.key
openssl req -x509 -new -nodes -key ca4.key -sha512 -days 14600 -out ca4.crt -config ../config/root_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA4 Ed25519"
Start the cross signing
Cross sign CA1 with CA2, CA3 and CA4:
cd ../root_ca1_ecdsa
openssl req -new -key ../root_ca2_ecdsa/ca2.key -out ca2.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA2 ECDSA"
openssl x509 -req -in ca2.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out ca2_cross_ca1.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca2.csr
openssl req -new -key ../root_ca3_rsa/ca3.key -out ca3.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA3 RSA"
openssl x509 -req -in ca3.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out ca3_cross_ca1.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca3.csr
openssl req -new -key ../root_ca4_ed25519/ca4.key -out ca4.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA4 Ed25519"
openssl x509 -req -in ca4.csr -CA ca1.crt -CAkey ca1.key -CAcreateserial -out ca4_cross_ca1.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca4.csr
Cross sign CA2 with CA1, CA3 and CA4
cd ../root_ca2_ecdsa
openssl req -new -key ../root_ca1_ecdsa/ca1.key -out ca1.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA1 ECDSA"
openssl x509 -req -in ca1.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out ca1_cross_ca2.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca1.csr
openssl req -new -key ../root_ca3_rsa/ca3.key -out ca3.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA3 RSA"
openssl x509 -req -in ca3.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out ca3_cross_ca2.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca3.csr
openssl req -new -key ../root_ca4_ed25519/ca4.key -out ca4.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA4 Ed25519"
openssl x509 -req -in ca4.csr -CA ca2.crt -CAkey ca2.key -CAcreateserial -out ca4_cross_ca2.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca4.csr
Cross sign CA3 with CA1, CA2 and CA4
cd ../root_ca3_rsa
openssl req -new -key ../root_ca1_ecdsa/ca1.key -out ca1.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA1 ECDSA"
openssl x509 -req -in ca1.csr -CA ca3.crt -CAkey ca3.key -CAcreateserial -out ca1_cross_ca3.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca1.csr
openssl req -new -key ../root_ca2_ecdsa/ca2.key -out ca2.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA2 ECDSA"
openssl x509 -req -in ca2.csr -CA ca3.crt -CAkey ca3.key -CAcreateserial -out ca2_cross_ca3.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca2.csr
openssl req -new -key ../root_ca4_ed25519/ca4.key -out ca4.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA4 Ed25519"
openssl x509 -req -in ca4.csr -CA ca3.crt -CAkey ca3.key -CAcreateserial -out ca4_cross_ca3.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca4.csr
Cross sign CA4 with CA1, CA2 and CA3
cd ../root_ca4_ed25519
openssl req -new -key ../root_ca1_ecdsa/ca1.key -out ca1.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA1 ECDSA"
openssl x509 -req -in ca1.csr -CA ca4.crt -CAkey ca4.key -CAcreateserial -out ca1_cross_ca4.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca1.csr
openssl req -new -key ../root_ca2_ecdsa/ca2.key -out ca2.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA2 ECDSA"
openssl x509 -req -in ca2.csr -CA ca4.crt -CAkey ca4.key -CAcreateserial -out ca2_cross_ca4.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca2.csr
openssl req -new -key ../root_ca3_rsa/ca3.key -out ca3.csr -config ../config/cross_sign.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Root CA3 RSA"
openssl x509 -req -in ca3.csr -CA ca4.crt -CAkey ca4.key -CAcreateserial -out ca3_cross_ca4.crt \
-days 14600 -sha512 -extfile ../config/cross_sign.cnf
rm ca3.csr
Create intermediate CA’s for each root CA
Intermediate CA1
cd ../intermediate_ca1
openssl ecparam -name secp256r1 -genkey -out intermediate1.key
openssl req -new -key intermediate1.key -out intermediate1.csr -config ../config/intermediate_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Intermediate CA1 ECDSA"
openssl x509 -req -in intermediate1.csr -CA ../root_ca1_ecdsa/ca1.crt -CAkey ../root_ca1_ecdsa/ca1.key \
-CAcreateserial -out intermediate1.crt -days 7300 -sha512 -extfile ../config/intermediate_ca.cnf -extensions v3_ca
Intermediate CA2
cd ../intermediate_ca1
openssl ecparam -name secp256r1 -genkey -out intermediate1.key
openssl req -new -key intermediate1.key -out intermediate1.csr -config ../config/intermediate_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Intermediate CA1 ECDSA"
openssl x509 -req -in intermediate1.csr -CA ../root_ca1_ecdsa/ca1.crt -CAkey ../root_ca1_ecdsa/ca1.key \
-CAcreateserial -out intermediate1.crt -days 7300 -sha512 -extfile ../config/intermediate_ca.cnf -extensions v3_ca
Intermediate CA3
cd ../intermediate_ca3
openssl genrsa -out intermediate3.key 4096
openssl req -new -key intermediate3.key -out intermediate3.csr -config ../config/intermediate_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Intermediate CA3 RSA"
openssl x509 -req -in intermediate3.csr -CA ../root_ca3_rsa/ca3.crt -CAkey ../root_ca3_rsa/ca3.key \
-CAcreateserial -out intermediate3.crt -days 7300 -sha512 -extfile ../config/intermediate_ca.cnf -extensions v3_ca
Intermediate CA4
cd ../intermediate_ca4
openssl genpkey -algorithm ED25519 -out intermediate4.key
openssl req -new -key intermediate4.key -out intermediate4.csr -config ../config/intermediate_ca.cnf \
-subj "/C=US/ST=California/L=Venice Beach/O=Pwned Global/CN=Pwned Global Intermediate CA4 Ed25519"
openssl x509 -req -in intermediate4.csr -CA ../root_ca4_ed25519/ca4.crt -CAkey ../root_ca4_ed25519/ca4.key \
-CAcreateserial -out intermediate4.crt -days 7300 -sha512 -extfile ../config/intermediate_ca.cnf -extensions v3_ca
Create the Root CA bundle
cd ..
cat root_ca1_ecdsa/ca1.crt \
root_ca2_ecdsa/ca2.crt \
root_ca3_rsa/ca3.crt \
root_ca4_ed25519/ca4.crt \
root_ca1_ecdsa/ca2_cross_ca1.crt \
root_ca1_ecdsa/ca3_cross_ca1.crt \
root_ca1_ecdsa/ca4_cross_ca1.crt \
root_ca2_ecdsa/ca1_cross_ca2.crt \
root_ca2_ecdsa/ca3_cross_ca2.crt \
root_ca2_ecdsa/ca4_cross_ca2.crt \
root_ca3_rsa/ca1_cross_ca3.crt \
root_ca3_rsa/ca2_cross_ca3.crt \
root_ca3_rsa/ca4_cross_ca3.crt \
root_ca4_ed25519/ca1_cross_ca4.crt \
root_ca4_ed25519/ca2_cross_ca4.crt \
root_ca4_ed25519/ca3_cross_ca4.crt > root_bundle.pem
Verify the intermediate CA’s against the root bundle
openssl verify -CAfile root_bundle.pem intermediate_ca1/intermediate1.crt
openssl verify -CAfile root_bundle.pem intermediate_ca2/intermediate2.crt
openssl verify -CAfile root_bundle.pem intermediate_ca3/intermediate3.crt
openssl verify -CAfile root_bundle.pem intermediate_ca4/intermediate4.crt