Theory is useless without practice. In this lab, you will act as a Certificate Authority (CA). You will create a Root CA, an Intermediate CA, and a Leaf certificate, simulating a real-world PKI hierarchy.
The Root CA is the ultimate source of trust. It must be created with a long lifespan and kept secure.
๐ก In production, the rootCA.key would be stored in an offline HSM, not on your hard drive.
To protect the root, we create an Intermediate CA. The root signs the intermediate, and the intermediate signs the actual servers.
# 1. Generate Intermediate Key
openssl genrsa -out intermediate.key 4096
# 2. Generate CSR (Certificate Signing Request)
openssl req -new -key intermediate.key -out intermediate.csr
# 3. Root CA signs the Intermediate CSR
openssl x509 -req -in intermediate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out intermediate.crt -days 1095 -sha256The intermediate certificate is now trusted because it was signed by the Root CA. This is the 'Chain of Trust' in action.
| File | Role | Sensitivity |
|---|---|---|
| rootCA.key | Root Secret | Critical (Ultra-Secret) |
| intermediate.crt | Public Trust | Low (Public) |
| server.key | Server Secret | High (Secret) |
| server.crt | Server ID | Low (Public) |
Finally, we must verify that the certificate chain is valid. If any link is missing or expired, the connection will be rejected.
Never use the Root CA key to sign leaf certificates directly. If a leaf is compromised, you'd have to rotate the root, breaking everything.
Verify exercises to earn โ 200 XP and unlock next lab level.