Create a root certificate authority

This procedure allows you to create a root certificate authority.

  1. Create the root certificate authority serial file:
    $ echo 01 > MyRootCA.srl
  2. Create a CSR (Certificate Signing Request):
    $ openssl req -new -out MyRootCA.csr
    This creates a privkey.pem file containing the RSA private key of that certificate and protected by a password.
  3. Remove the password of the private key (Optional):
    $ openssl rsa -in privkey.pem -out MyRootCA.pem
    Note: Removing the password of a certificate authority's private key is not recommended.
  4. Create a self-signed certificate from the Certificate Signing Request for a validity period of 365 days:
    $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
     -req -signkey MyRootCA.pem -days 365
    Note: If you want an official Root Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl).