Because of the validations done on the ssl certs, the cert cannot be a self-signed cert. I have therefore used the following commands with openssl (for windows) to create a CA, and derived crt. I have successfully done this several years ago, and I think I ran into this issue before, but I cannot remember how I solved it. Nor can I find another post that solve the issue or reminds me what the solution was.
I am using the following commands:
openssl genrsa -des3 -out myCA.key 2048openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pemopenssl genrsa -out derived.key 2048openssl req -new -key derived.key -out derived.csropenssl x509 -req -in derived.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out derived.crt -days 1825 -sha256 -extfile derived.ext[derived.ext file contents]authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = %%DOMAIN%%The CA cert (myCA.PEM file] installs fine into the trusted roots folder. The derived.crt installs fine into the personal store, and validates properly with the CA. However, the derived.crt does not show a private key and cannot be used for SSL. Can anyone tell me what step I got wrong or am missing?
Best Answer
I seem to have solved the issue finally. Apparently a .crt file cannot contain a private key. Using the following command, I merged the .crt and key into a .pfx file, which imported and now shows a private key:
openssl pkcs12 -export -in derived.crt -inkey derived.key -out derived.pfx