SSL explanation - Root CA certificate, Intermediate CA certificate, Server SSL certificate

 Root CA certificate(Stored browser)

Root CA certificate stores in browser with Root CA's public Key and Root CA's signature signed by public key, it is always trusted by browser

Intermediate CA certificate(Stored Sever send to browser)

It is dangerous to use Root CA to sign server ssl certificate, the work around is to have root CA to authroize intermediate CA to sign server SSL certificate. This is accomplished by creating an intermediate CA certificate, where intermediate CA will have Root CA's name as issuer and intermediate CA signature which can be decrypted by using public key of Root CA

Sever SSL certificate(Stored Server send to browser)

contains servr name, expriation date, server public key, Intermediate/Root CA issuer name, signature signed by intermediate/root ca private key can be decrypted using their public key

When browser has all three certificates, it begins validation, starting with expiration

https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity

https://www.thesslstore.com/blog/root-certificates-intermediate/

Once validated, browser will create a symmetric key, encrypt this key using servers provided public key, and send to server. Server uses its own private key to decrypt this symmetric key. Then data transfer are encrypted using this symmetric key

When server is sending the intermediate certificate and sever SSL certificate,

they send in format of 

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----

https://serverfault.com/questions/393822/how-do-i-install-intermediate-certificates-in-aws

In a file.

Self signed certificate and Root Certificate:

SUDO: 

1. create root CA private key

2. create root CA certificate contains root CA name,  expiration, root CA public key, and signature signed by root CA private key

3. create server self signed private key

4. create server self signed certificate contains server name, info, expiration, server self signed public key, root CA issuer Name, signature signed by root CA private key

5. Install root CA certificate to browser.

Implementation using OPEN SSL:

https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

Create Root CA (Done once)
Create Root Key
Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3 option
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
Create a certificate (Done for each server)
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
Create the certificate key
openssl genrsa -out mydomain.com.key 2048
Create the signing (csr)
The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.
Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.
I will describe here two ways to gener
Method A (Interactive)
If you generate the csr in this way, openssl will ask you questions about the certificate to generate like the organization details and the Common Name (CN) that is the web address you are creating the certificate for, e.g mydomain.com.
openssl req -new -key mydomain.com.key -out mydomain.com.csr
Method B (One Liner)
This method generates the same output as Method A but it's suitable for use in your automation :) .
openssl req -new -sha256 -key mydomain.com.key -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" -out mydomain.com.csr
If you need to pass additional config you can use the -config parameter, here for example I want to add alternative names to my certificate.
openssl req -new -sha256 \
    -key mydomain.com.key \
    -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:mydomain.com,DNS:www.mydomain.com")) \
    -out mydomain.com.csr
Verify the csr's content
openssl req -in mydomain.com.csr -noout -text
Generate the certificate using the mydomain csr and key along with the CA Root key
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
Verify the certificate's content
openssl x509 -in mydomain.com.crt -text -noout
dthrash commented on Feb 28, 2018
How does the private key fit in here? Doesn't the pem file need to be generated too?
fxpires commented on Mar 6, 2018
The files with ".key" extension are the private keys.