I’ve been looking at how to create X509 certificates and I’m a bit confused. I understand the theory, and creating a single certificate is OK, but I don’t have the operational know-how to create the system as a whole.

Here are the requirements:

1) There will be one master server. The SSL certificate for this will not be signed by any authority: it is the root. This certificate (or at least the means to verify it) will be distributed with the application.

2) There may be any number of secondary servers. Each will generate its own certificate and submit it to the master server.

3) The master server will sign secondary certificates with the root.

The use-case is that a client connects to a secondary server and must be able to verify that its certificate has been signed by the root.

N.B. The master server is identified by a DNS hostname. The secondary servers may be named or may be identified by IP address alone.

Four questions:

Can someone please show me the openssl commands to accomplish each of those three steps?

Which, if any, of the files generated by those steps should not be distributed?

After step 3, does the master have to return a modified certificate to the secondary?

Do the secondary certificates have to be distributed by the trusted master, or is it sufficient for the client to validate any certificate advertised by the secondary?