Step 1: Create the root certificate authority

Generate a root certificate authority that signs a client certificate.

  • Create the root certificate authority serial file:

    $ echo 01 > MyCompanyCA.srl
  • Create the Root Authority's Certificate Signing Request and private key:

    $ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
  • Create the Root Certificate Authority for a period of validity of 2 years:

    $ openssl x509 -trustout -in MyCompanyCA.csr -out MyCompanyCA.crt
     -req -signkey MyCompanyCA.pem -days 730
Important: The private key file (MyCompanyCA.pem) of a RootCertificate Authority must be handled with care. This file is responsible for the validity of all other certificates it has signed. As a result, it must not be accessible by other users.

In the next step we create the server's certificate and private key, Step 2: Create the server's certificate and private key.