Create a certificate authority

This procedure allows you to create a certificate authority.

In this task you use the openssl command tool to create the certificate authority.

  1. Create the certificate authority serial file:
    $ echo 01 > MyCA.srl

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

  2. Create a certificate signing request (CSR):
    $ openssl req -new -out MyCA.csr
    Follow the instructions to create the CSR. This command also creates a private-key file, privkey.pem, containing the RSA private key of the CSR certificate and protected by a password.
  3. Remove the private key password (Optional):
    $ openssl rsa -in privkey.pem -out MyCA.pem
    Note: Removing the password of a certificate authority's private key is not recommended.
  4. Create a certificate from the Certificate Signing Request that is trusted by the Root Certificate Authority:
    $ openssl x509 -in MyCA.csr -out MyCA.crt -req -signkey MyCA.pem
     -CA MyRootCA.crt -CAkey MyRootCA.pem -days 365
    Note: About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.