Generate a Custom Certificate

Follow the instructions below to generate a root certificate authority and an intermediate certificate using OpenSSL. The example presented below is just for reference, you need an authorized certificate for successfully signing your custom certificates.

Create an OpenSSL Configuration File

Create an OpenSSL configuration file which defines the settings for generating certificates. Refer to the below example of an OpenSSL configuration file:

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids
extensions = v3_req
[ new_oids ]
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section
 ####################################################################
[ CA_default ]
 dir             = /tmp/pkioutput.TtrEdwnrXU
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir  # default place for new certs.
certificate     = $dir/CA_crt.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/CA_crl.pem               # The current CRL
private_key     = $dir/CA_key.pem
RANDFILE        = $dir/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the cert
default_days    =                       # how long to certify for
default_crl_days=                       # how long before next CRL
default_md  = sha256
preserve        = no                    # keep passed DN ordering
policy          = policy_match
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
C = US
ST = California
L = Foster City
O = Qualys
OU = qualys
emailAddress = qgs@qualys.com
CN = qgs.proxy
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = qgs.proxy
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName                     = <Provide Country Name>
countryName_default             = <Provide Default Country Name>
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = <Provide State or Province Name>
stateOrProvinceName_default     = <Provide Default State or Province Name>
localityName                    = <Provide Locality>
localityName_default            = <Provide Default Locality>
0.organizationName              = O
0.organizationName_default      = Qualys
organizationalUnitName          = OU
organizationalUnitName_default  = qualys
commonName                      = CN
commonName_default              = qgs.proxy
commonName_max                  = 64
emailAddress                    = email
emailAddress_max                = 40
emailAddress_default    = qgs@qualys.com
[ req_attributes ]
challengePassword               =
challengePassword_min           = 0
challengePassword_max           = 20
unstructuredName                = qualys
[ usr_cert ]
nsComment                       = "OpenSSL Generated Certificate"
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
subjectAltName = @alt_names
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
Generate Root CA Key Pair and Certificate:
Generate a private key and certificate for the root CA using OpenSSL's req command with the -x509 option.
openssl req -x509 -days 3650 -nodes -config <OPENSSL_CONFIG_PATH> -newkey rsa:4096 -extensions v3_ca -keyout <PATH_TO_ROOT_CA_KEY> -out <PATH_TO_ROOT_CA>

Generate Intermediate CA Key Pair and Certificate Signing Request (CSR)

The following command generates an intermediate private key and Certificate Signing Request (CSR) for the intermediate CA using OpenSSL's genrsa and req commands, respectively.

Generate Intermediate Key

openssl genrsa -out <INTERMEDIATE_KEY_PATH> 4096

Generate Intermediate Certificate Signing Request (CSR)

openssl req -new -sha256 -key ${Intermediate_PATH_KEY} -config <OPENSSL_CONFIG_PATH> -out <INTERMEDIATE_CSR_PATH>

Generate Intermediate CA Certificate:

The script uses OpenSSL's ca command to generate a certificate for the intermediate CA based on the CSR and root CA certificate.

openssl ca -extensions v3_intermediate_ca -config 
<OPENSSL_CONFIG_PATH> -batch -create_serial -days <CERT_VALIDITY_DAYS> 
-keyfile <PATH_TO_ROOT_CA_KEY> -cert <PATH_TO_ROOT_CA> -in <INTERMEDIATE_CSR_PATH> -out <INTERMEDIATE_CERT_PATH> -notext

Things to Remember

The QGS SSL Bump feature requires a specific certificate configuration to enable secure traffic inspection and artifact caching. The following requirements must be met

  • Certificate Authority Requirements

A private, self-signed Certificate Authority must be configured with the basicConstraints extension set to CA:TRUE. This setting enables the CA to issue certificates for intercepted HTTPS traffic. All client devices must trust this CA certificate to prevent SSL/TLS errors during traffic interception and decryption.

  • Certificate Format Requirements

QGS requires individual certificate configurations. Each certificate must be uploaded and configured separately in the system. The platform does not support concatenated certificate files (multiple certificates combined in a single file). This requirement ensures proper certificate validation during SSL/TLS processing.

When assigning Certificates, verify that the Root and Intermediate certificates are SHA256 hashed and ‘CA:True’ attribute is confirmed.

To check these, you can run the following command on OpenSSL Utility.

openssl x509 -noout -text -in certificate.pem

If the command returns the following values, then you may upload the certificate.

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

You must also verify whether the Root and Intermediate certificates are valid. To do so, run the following.

openssl verify -CAfile rootcert.pem intermediate.pem

Verify the MD5 checksum of Intermediate certificate, and private key (end key). The MD5 checksum of should match for all three.

intermediate certificate: openssl x509 -modulus -noout -in intermediate.pem/leaf/issuing_cert.pem | openssl md5

private key(end key): openssl rsa -modulus -noout -in private.key.pem | openssl md5

Next Topic

Proxy Port

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.