Create a root certificate authority

Generate a root certificate authority that signs a certificate authority.

1. Create the root certificate authority serial file:

   $ echo 01 > MyRootCA.srl

   This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the root CA with the extension .srl.

2. Create a certificate signing request and a private key:

   $ openssl req -new -out MyRootCA.csr

   Follow the instructions to create the CSR. This command creates a pem file containing the private key of the CSR. The key is encrypted, so you are prompted for a passphrase for it. You will be prompted to identify the subject or issuer of the certificate – to provide a Distinguishing Name (DN) for the certificate – in a series of prompts. These are examples of what the prompts will look like:

   Country Name (2 letter code) [AU]:FR
   State or Province Name (full name) [Some-State]:.
   Locality Name (eg, city) []:.
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:.                               
   Organizational Unit Name (eg, section) []:.
   Common Name (e.g. server FQDN or YOUR name) []:
   Email Address []:.

   The most important field in the DN is the Common Name (CN), which should have the exact Fully Qualified Domain Name (FQDN) of the host that you intend to use the certificate with. For instance, if the URL of the server is https://www.MyServer.com/fastcgi/ws/r/MyWebService, the CN must be www.MyServer.com. In the other fields, you provide additional details about your organization, which may be needed if you are purchasing an SSL certificate from a certificate authority.

   Two files are created, MyRootCA.csr and a file called privkey.pem. The private key file of a root certificate authority must be handled with care because it validates certificates it has signed and it is used in creating future certificates. As a result, it must not be accessible by other users.
3. Remove the password of the private key (Optional):

   $ openssl rsa -in privkey.pem -out MyRootCA.pem

   You are prompted for the passphrase.

   Warning:

   Removing the password of a certificate authority's private key is not recommended.

   The unprotected private key is output in MyRootCA.pem.
4. Create a certificate from the CSR that is valid for 365 days, and that is signed by the unprotected private key:

   $ openssl x509 -trustout -in MyRootCA.csr -out MyRootCA.crt
    -req -signkey MyRootCA.pem -days 365

   Note: About the CSR and its private key:

   • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
   • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.
   The root certificate authority certificate is output in MyRootCA.crt.