I have an SSL certificate from sslforfree. I have the
certificate and its
I'd like to create my own certificate, for different subdomains. My hope is that somehow, I can sign that certificate with my existing certificates in a way, that it'll pass all those ssl checks that browsers and mail clients, and others do.
I followed through dozens of tutorials, but either I'm missing an important nuance, or those tutorials are not what I want.
Can anybody help me, how can I sign my new certificates with
Technically, you can do that, but no one will trust these certificates. Your SSL certificate is *NOT ALLOWED* to sign other certificates.
If you look at your certificate you may find a
Basic Constraints certificate extension that tells about the subject type: end entity or CA.
isCA bit will be set to 0, implying that the holder of the certificate is end entity. Certificate validation code will strictly check this field and if they find that end entity certificate was used to sign other certificates, they will be automatically rejected. For reference: RFC 5280 §18.104.22.168
Look at your cert with a command like this
openssl x509 -text -in filename. See the CA:FALSE? That is a flag that says the certificate cannot be used to as a CA, or to sign subordinate certificates.
Certificate: Data: Version: 3 (0x2) Serial Number: ... Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Jul 8 22:26:53 2019 GMT Not After : Oct 6 22:26:53 2019 GMT ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE
No CA from a trusted root is going to give you a cert with that enabled. If they did, you would be able to MITM anyone in the world.
I'd like to create my own certificate, for different subdomains.
Just use letsencrypt. You can get all the free certs you want for domains that you can validate either by DNS, or an HTTP challenge. You can use the official client, or third party clients. There is lots of easy to use clients for Letsencrypt.