Create a root certificate authority

Generate a root certificate authority that signs a certificate authority.

In this task you use the openssl tool to create a Certificate Signing Request (CSR) and a root certificate authority. For more information about the root certificate authority, go to root certificate authority.

  1. Create the root certificate authority serial file:
    $ echo 01 >

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the root CA with the extension .srl.

  2. Create a certificate signing request and a private key:
    $ openssl req -new -out MyRootCA.csr
    Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:
    Country Name (2 letter code) [AU]:FR
    State or Province Name (full name) [Some-State]:.
    Locality Name (eg, city) []:.
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:.
    Two files are created, MyRootCA.csr and a file called privkey.pem. The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.
  3. Remove the password of the private key (Optional):
    $ openssl rsa -in privkey.pem -out MyRootCA.pem
    You are prompted for the passphrase.

    Removing the password of a certificate authority's private key is not recommended.

    The unprotected private key is output in MyRootCA.pem.
  4. Create a certificate from the CSR that is valid for 365 days, and that is signed by the unprotected private key:
    $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
     -req -signkey MyRootCA.pem -days 365
    Note: About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.
    The root certificate authority certificate is output in MyRootCA.crt.
What to do next.

You can use MyRootCA.crt to encrypt data as a self-signed certificate, but users will be shown a warning that says the certificate is not trusted. If you want to have it trusted, you must create your own certificate authority (CA), and install it as a trusted certificate in the browser. Creating a certificate authority is detailed in Create a certificate authority.