0Pricing
Cryptology Academy · Lesson

Creating and Managing Certificate Chains

Generate root CAs, intermediate CAs, and end-entity certificates with proper chain validation.

Root CA Generation

A root CA is a self-signed certificate that serves as the ultimate trust anchor. The root CA private key must be kept offline (on an air-gapped system or HSM) because its compromise undermines the entire PKI. "openssl req -x509 -new -nodes -key root_key.pem -sha256 -days 3650 -out root_cert.pem" generates a self-signed root certificate valid for 10 years.

Intermediate CA Generation

Intermediate CAs are signed by the root CA and used for day-to-day certificate issuance. First, generate the intermediate key and CSR: "openssl req -new -key intermediate_key.pem -out intermediate.csr". Then the root CA signs it: "openssl x509 -req -in intermediate.csr -CA root_cert.pem -CAkey root_key.pem -CAcreateserial -days 1825 -out intermediate_cert.pem".

All lessons in this course

  1. OpenSSL Command-Line Essentials
  2. Creating and Managing Certificate Chains
  3. OCSP Stapling and Certificate Transparency
  4. Let's Encrypt and ACME Protocol Automation
← Back to Cryptology Academy