Category: Issue Certificates
Complexity: * (Medium-High)
Prerequisites: CSR available, Intermediate CA
Estimated Time: 10-15 minutes
</WRAP>
—-
===== Description =====
This scenario describes issuing a TLS server certificate by an Intermediate CA. The certificate enables HTTPS encryption for web servers, APIs, and other TLS-protected services.
What is created:
* X.509 v3 server certificate
* Signed with ML-DSA-65 (Post-Quantum)
* Extensions for TLS server
—-
===== Workflow =====
<mermaid>
flowchart LR
CSR[Load CSR] –> VERIFY[Verify CSR]
VERIFY –> EXT[Set extensions]
EXT –> SERIAL[Generate serial]
SERIAL –> SIGN[Sign with CA]
SIGN –> EXPORT[Export as PEM]
style SIGN fill:#e8f5e9
</mermaid>
—-
===== Code Example (C#) =====
<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
Load Intermediate CA
var caCert = ctx.LoadCertificate(„intermediate-ca.crt.pem“);
var caKey = ctx.LoadPrivateKey(„intermediate-ca.key.pem“, „CaPassword!“);
Load and verify CSR
var csr = ctx.LoadCertificateRequest(File.ReadAllText(„server.csr.pem“));
if (!csr.VerifySignature())
throw new CryptographicException(„Invalid CSR signature“);
Issue server certificate
var serverCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
serialNumber: ctx.GenerateSerialNumber(),
validDays: 365, 1 year
extensions: new ExtBuilder()
Basic Constraints: Not a CA
.BasicConstraints(ca: false, critical: true)
Key Usage for TLS
.KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment, critical: true)
Extended Key Usage: Server Auth
.ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
Subject Key Identifier
.SubjectKeyIdentifier(csr.PublicKey)
Authority Key Identifier
.AuthorityKeyIdentifier(caCert)
CRL Distribution Point
.CrlDistributionPoint(„http://crl.example.com/intermediate.crl“)
OCSP Responder
.AuthorityInfoAccess(
ocspUrl: „http://ocsp.example.com“,
caIssuersUrl: „http://ca.example.com/intermediate.crt“
)
.Build()
);
Save
serverCert.ToPemFile(„server.crt.pem“);
Create certificate chain
var chain = $„{serverCert.ToPem()}\n{caCert.ToPem()}“;
File.WriteAllText(„server-chain.pem“, chain);
Console.WriteLine(„Server certificate issued:“);
Console.WriteLine($„ Subject: {serverCert.Subject}“);
Console.WriteLine($„ Issuer: {serverCert.Issuer}“);
Console.WriteLine($„ Serial: {serverCert.SerialNumber}“);
Console.WriteLine($„ Valid until: {serverCert.NotAfter:yyyy-MM-dd}“);
</code>
—-
===== Extensions for Server Certificates =====
^ Extension ^ Value ^ Critical ^ Description ^
| Basic Constraints | CA=false | Yes | Not a CA certificate |
| Key Usage | digitalSignature, keyEncipherment | Yes | TLS handshake |
| Extended Key Usage | serverAuth | No | Server authentication |
| Subject Key Identifier | Hash(PublicKey) | No | Key ID |
| Authority Key Identifier | CA-SKI | No | Issuer reference |
| Subject Alt Name | DNS names | No | Taken from CSR |
| CRL Distribution Points | URL | No | Revocation checking |
| Authority Info Access | OCSP, CA Issuers | No | Validation helpers |
—-
===== Industry-Specific Validity Periods =====
^ Industry ^ Validity ^ Rationale ^
| Standard IT | 1 year (365 days) | CA/Browser Forum Maximum |
| Energy/SCADA | 3-5 years | Long maintenance cycles |
| Healthcare | 1-2 years | Compliance requirements |
| Automotive | 2-3 years | Vehicle lifecycle |
Recommendation: For public websites max. 398 days (CA/B Forum). For internal services, longer validity periods may be appropriate.
—- ===== Output Files ===== ==== server.crt.pem ==== <code> —–BEGIN CERTIFICATE—– MIIHxjCCBiagAwIBAgIUP7J2kM9x… —–END CERTIFICATE—– </code> ==== server-chain.pem ==== <code> —–BEGIN CERTIFICATE—– (Server certificate) —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– (Intermediate CA) —–END CERTIFICATE—– </code> —- ===== Nginx Configuration ===== <code nginx> server { listen 443 ssl; server_name www.example.com; ssl_certificate /etc/nginx/ssl/server-chain.pem; ssl_certificate_key /etc/nginx/ssl/server.key.pem; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; } </code> —- ===== Related Scenarios ===== ^ Relationship ^ Scenario ^ Description ^ | Prerequisite | 2.1 Server CSR | Create CSR | | Prerequisite | 1.2 Intermediate CA | Signing CA | | Next Step | 10.1 TLS Server Setup | Deploy certificate | | Related | 3.2 Client Certificate | For mTLS | —- « <- Certificates Overview | ^ Scenarios | 3.2 Client Certificate -> »
—- Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional