Create a certificate authority

In this procedure you create a certificate authority signed by a root certificate authority.

In this task you use the openssl tool to create a Certificate Signing Request (CSR) and a certificate authority.

  1. Create the certificate authority serial file: 
    $ echo 01 > MyCA.srl

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

  2. Create a certificate signing request and private key: 
    $ openssl req -new -out MyCA.csr
    Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:
    Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:.
    Two files are created, the MyCA.csr and a file called privkey.pem.
  3. Remove the private key password (Optional):
    $ openssl rsa -in privkey.pem -out MyCA.pem
    You are prompted for the passphrase.
    Warning:

    Removing the password of a certificate authority's private key is not recommended.

  4. Create a certificate authority from the CSR signed by the root certificate authority created in Create a root certificate authority: 
    $ openssl x509 -in MyCA.csr -out MyCA.crt -req 
    -CA MyRootCA.crt -CAkey MyRootCA.pem -days 365
    Note: About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.
    The certificate authority certificate is output in MyCA.crt.
What to do next.

Your next task is to create a certificate as detailed in Create a certificate.