Create a certificate authority

In this procedure you create a certificate authority.

Use the openssl tool to create the certificate authority.

  1. Create the certificate authority serial file:
    $ echo 01 >

    This command creates a serial file with an initial HEX value 01. OpenSSL uses this file to track the serial numbers of certificates it creates. The serial file is typically given the same name as the CA with the extension .srl.

  2. Create a certificate signing request (CSR):
    $ openssl req -new -out MyCA.csr
    Follow the instructions to create the CSR. This command also creates a private-key file, privkey.pem, containing the RSA private key of the CSR certificate and protected by a password.
  3. Remove the private key password (Optional):
    $ openssl rsa -in privkey.pem -out MyCA.pem

    Removing the password of a certificate authority's private key is not recommended.

  4. Create a certificate from the Certificate Signing Request that is trusted by the Root Certificate Authority:
    $ openssl x509 -in MyCA.csr -out MyCA.crt -req 
        -CA MyRootCA.crt -CAkey MyRootCA.pem -days 365
    About the CSR and its private key:
    • If you want an official Certificate Authority, you must send the CSR file to one of the self-established Certificate Authority companies on the Internet (instead of creating it with openssl. See Encryption and authentication).
    • The CSR file is also used to encrypt messages that only its corresponding private key can decrypt.