Create a root certificate authority

Create a local root certificate authority for signing test certificates.

1. Create the root certificate authority serial file:

   $ echo 01 > MyRootCA.srl

   This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the root CA with the extension .srl.

2. Create a certificate signing request and a private key:

   $ openssl req -new -out MyRootCA.csr

   You are prompted to provide a Distinguishing Name (DN) for the certificate, including fields such as Country Name, State or Province Name, Organization Name, and Common Name (CN).

   Two files are created, MyRootCA.csr and a file called privkey.pem. The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.

Create a self-signed root CA certificate:

3. Remove the password of the private key (Optional):

   $ openssl rsa -in privkey.pem -out MyRootCA.pem

   You are prompted for the passphrase.

   Warning:

   Removing the password of a certificate authority's private key is not recommended.

   The unprotected private key is output in MyRootCA.pem.
4. Create a certificate from the CSR that is valid for 730 days, and that is signed by the unprotected private key:

   $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
    -req -signkey MyRootCA.pem -days 730

   The root certificate authority certificate is output in MyRootCA.crt.