Create a root certificate authority

Generate a root certificate authority that signs a certificate.

Important:

This task is optional because a root certificate authority is only needed if you are creating self-signed certificates for testing purposes.

To secure your web server and applications to use the SSL/TLS protocol, you must send a Certificate Signing Request to one of the trusted Certificate Authority companies on the Internet that will provide you with a certificate you can trust.

For details about creating a Certificate Signing Request, go to Create a certificate. For more information about certificate authorities, go to Certificate authories.

The openssl tool is used to create a root certificate authority.

  1. Create the root certificate authority serial file:
    $ echo 01 > MyRootCA.srl

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the root CA with the extension .srl.

  2. Create a certificate signing request and a private key: 
    $ openssl req -new -out MyRootCA.csr
    Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate in a series of prompts. These are examples of what the prompts will look like:
    Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:.
    Two files are created, MyRootCA.csr and a file called privkey.pem. The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.

Create a self-signed certificate

  1. Remove the password of the private key (Optional):
    $ openssl rsa -in privkey.pem -out MyRootCA.pem
    You are prompted for the passphrase.
    Warning:

    Removing the password of a certificate authority's private key is not recommended.

    The unprotected private key is output in MyRootCA.pem.
  2. Create a certificate from the CSR that is valid for 730 days, and that is signed by the unprotected private key: 
    $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
 -req -signkey MyRootCA.pem -days 730
    The root certificate authority certificate is output in MyRootCA.crt.
What to do next.

You can use MyRootCA.crt to encrypt data as a self-signed certificate, but users will be shown a warning that says the certificate is not trusted. If you want to have it trusted, you must create your own certificate signed by this certificate authority, and install it as a trusted certificate in the browser or in the keystore/keychain of the machine. Creating a self-signed certificate is detailed in Create a certificate.