Step 1: Create the root certificate authority
Generate a root certificate authority that signs a client certificate.
-
Create the root certificate authority serial file:
$ echo 01 > MyCompanyCA.srl
-
Create the root authority's Certificate Signing Request and private key:
$ openssl req -new -out MyCompanyCA.csr -keyout MyCompanyCA.pem
Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []: Email Address []:.
-
Create the root certificate authority certificate from the CSR that is valid for 730 days, and that is signed by the private key:
$ openssl x509 -trustout -in MyCompanyCA.csr -out MyCompanyCA.crt -req -signkey MyCompanyCA.pem -days 730
Important:
The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.
In the next step we create the server's certificate and private key, Step 2: Create the server's certificate and private key.