Skip to content

Instantly share code, notes, and snippets.

@amigus

amigus/OpenSSLSubordinatetoMicrosoftCA.md

Last active October 29, 2023 00:10
Show Gist options
  • Save amigus/7eedeffee4791956bebe474e78da17f2 to your computer and use it in GitHub Desktop.
Save amigus/7eedeffee4791956bebe474e78da17f2 to your computer and use it in GitHub Desktop.
Download ZIP
An OpenSSL setup to generate a subordinate CA to Microsoft Certificate Services
Raw
OpenSSLSubordinatetoMicrosoftCA.md

OpenSSL Subordinate to Microsoft Root CA

Generate a Certificate Request

OpenSSL installs a default configuration file in /etc/ssl/openssl.cnf. The configuration defines a (boilerplate) v3_ca section. We can use it to generate a subordinate CA certificate request, a.k.a., a CSR, for Microsoft Certificate Services by executing:

openssl req -newkey 4096 -extensions v3_ca -addext 1.3.6.1.4.1.311.20.2=ASN1:PRINTABLESTRING:SubCA

ℹ️ The -addext is the important part because it specifies the Microsoft Certificate Services "Certificate Template"

Optional parameters for OpenSSL

Add -nodes to avoid encrypting the key with a passphase ⚠️🔓

Add -keyout private/cakey.pem to save the private key to where /etc/ssl/openssl.cnf expects it.

Use -out with a path to save the CSR output. -out $HOME/ca.req to save the CSR to your home directory, for example.

Get the Certificate (from the CA)

Submit the resulting CSR to the Microsoft Certificate Services CA. It should respond the Subordinate CA certificate to download!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment