Step 1: Create the root certificate authority

Generate a root certificate authority that signs a client certificate.

Create the root certificate authority serial file:
```
$ echo 01 > MyCompanyCA.srl
```
Create the root authority's Certificate Signing Request and private key:
```
$ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
```
Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:
```
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:.
```
Create the root certificate authority certificate from the CSR that is valid for 730 days, and that is signed by the private key:
```
$ openssl x509 -trustout -in MyCompanyCA.csr -out MyCompanyCA.crt
 -req -signkey MyCompanyCA.pem -days 730
```

Important:

The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.

In the next step we create the server's certificate and private key, Step 2: Create the server's certificate and private key.