I wish to create and use an X.509 CA certificate which I can use to sign our documents and wish to use the CAcert root and class 3 authorisation which are now in my system, thanks to arvidjaar.
My plan is to create a private key, create a CSR and then sign with a class 3 certificate from CAcert. This is my plan but my code may be rubbish.
Creat private key
openssl genpkey -algorithm RSA -out client_ca_private.key
openssl req -new -key client_ca_private.key -out client_ca.csr
At this point I am stuck because I am not sure if I should use a .crt file or a .pem file. I assume the latter but this is all new to me and I would appreciate some advice please. Also my whole approach may be wrong so please help.
Use for what? CRT or PEM of what?
You have some assumptions that we do not know; you came to some conclusions that you do not explain, and you decided you need to do something, but you do not tell us what you are going to do exactly.
The two shown commands are all that is needed to create certificate signing request using OpenSSL. There are dozens step by step tutorials on Internet showing how to do it. I have no idea where CRT or PEM enter the picture. It would be more productive if you provided a link to the tutorial you are using and if some step is not clear, then asked question about it. Then we at least can understand what you mean.
I already told you that you have very different idea how public key cryptography works.
CA certificate cannot be used to sign your CSR. CSR is signed by the private key that is kept secret by CA. CA certificates that you download and install are used to verify other (client) certificates signed by this CA, not to sign your own CSR. Only CA can sign your CSR.
My opening sentence should be clear but I shall repeat; I wish to create and use an X.509 CA certificate.
I had been working on doing this using the CAcert website but it will take time to obtain the required trust documents like signatures from assurers.
Meanwhile I have been working on a compromise solution, hence my question. My plan was to proceed with this command:-
openssl x509 -req -in client_ca.csr -CA class_3_ca.pem -CAkey class_3_ca_private.key -CAcreateserial -out client_ca.pem
This is where I gave up.
You do not and cannot have it. You cannot sign anything on behalf of any well-known CA. If you can, this CA is severely compromised.
You can establish your own CA and use this command to sign certificates on behalf of your own CA. You cannot use this command to sign certificates on behalf of CAcert.