Uemit Koc

Uemit Koc

  • NA
  • 9
  • 669

Generating server certificate with open ssl on a windows machine

Jun 20 2021 6:35 PM

I tried to create a server certificate as following. But at step 11 i got the error message: 

CA certificate and CA private key do not match

12144:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto\x509\x509_cmp.c:303:

error in ca

Thank you for your feedback if possible.

1. Create a Root Key

C:\root\ca>openssl

openssl> genrsa -aes256 -out private/ca.key.pem 4096

2. Create a Root Certificate (this is self-signed certificate)

OpenSSL> req -config openssl.cfg -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

3. Create an Intermediate Key

OpenSSL> genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096

4. Create an Intermediate certificate signing request

openssl> req -config intermediate/openssl.cfg -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem

5. Create intermediate certificate (using Root Key/Certificate)

OpenSSL> req -config openssl.cfg -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out intermediate/certs/intermediate.cert.pem

6. Quit OpenSSL

openssl> quit
C:\root\ca>

7. Get CA-Chain Cert
C:\root\ca>type intermediate\certs\intermediate.cert.pem certs\ca.cert.pem > intermediate\certs\ca-chain.cert.pem

8. Start OpenSSL
C:\root\ca>openssl

9. Create a Server Key
openssl>genrsa -aes256 -out intermediate/private/www.example.com.key.pem 4096 (vorher 2048)

10. Create a Server Signing Request
openssl>req -config intermediate/openssl.cfg -key intermediate/private/www.example.com.key.pem -new -sha256 -out intermediate/csr/www.example.com.csr.pem

11. Create a Server Certificate (Using Server signing Request and Intermediate Certificate/Key)
openssl> ca -config intermediate/openssl.cfg -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -keyfile intermediate/private/intermediate.key.pem  -out intermediate/certs/www.example.com.cert.pem


Answers (1)