Create a root certificate authority

Generate a root certificate authority that signs a client certificate.

In this task you use the openssl command tool to create the root certificate authority.

  1. Create the root certificate authority serial file:
    $ echo 01 >

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the root CA with the extension .srl.

  2. Create a Certificate Signing Request (CSR):
    $ openssl req -new -out MyRootCA.csr

    Follow the instructions to create the CSR. Two files are created, the MyRootCA.csr and a file called privkey.pem, which contains the RSA private key of the CSR certificate protected by a password.

  3. Remove the password of the private key (Optional):
    $ openssl rsa -in privkey.pem -out MyRootCA.pem

    Removing the password of a certificate authority's private key is not recommended.

  4. Create a self-signed certificate from the CSR and the unprotected private key for a validity period of 365 days:
    $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
     -req -signkey MyRootCA.pem -days 365
    About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.