Create a Root CA Certificate

Create a root certificate that can be used to generate intermediate certificates.

  1. Create or edit an OpenSSL configuration file called ca_root.cnf for the creation of the CA root certificate.

    You can download a sample ca_root.cnf file from a number of web sites. You will have to adapt it to your situation, specifically the names and locations of your key and certificate in the [CA_default] section.

  2. Generate the key using a strong encryption algorithm, such as 4096-bit AES256. For more information, see Generate a Private Key for Use with Certificates .

    For example:

    openssl genrsa -aes256 -out ca_root.key 4096

    When prompted for a pass phrase, use a strong one.

    Note:  Keep this key secure! If it is compromised, malicious users can make fake certificates that are not distinguishable from real ones.

  3. Create the root CA certificate that is valid for a significant amount of time, such as 20 years. 
    openssl req -config ca_root.cnf \
            -key ca_root.key \
            -new -x509 -days 7305 -sha256 -extensions v3_ca \
            -out ca_root.crt

    By definition, a CA root certificate is trusted, so there is no need to create a signing request.

  4. Verify the root CA certificate: 
    openssl x509 -noout -text -in ca_root.crt

For more information, see Create Intermediate CA Certificates.