This procedure allows you to create a root certificate authority.
- Create the root certificate authority serial file:
$ echo 01 > MyRootCA.srl
- Create a CSR (Certificate Signing Request):
$ openssl req -new -out MyRootCA.csr
This creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
- Remove the password of the private key (Optional):
$ openssl rsa -in privkey.pem -out MyRootCA.pem
Note: Removing the password of a certificate authority's private key is not recommended.
- Create a self-signed certificate from the Certificate Signing Request for a validity period of 365 days:
$ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
-req -signkey MyRootCA.pem -days 365
Note: If you want an official Root Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).