Generating

For a CA, this is no different to generating a self-signed certificate. We're going to use an openssl.cnf file to save a lot of typing.

The config file looks like:

[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[ req_distinguished_name ]
C = GB
ST = Buckinghamshire
L = Newport Pagnell
O = Example Limited
CN = Example Limited CA
emailAddress = webmaster@example.com

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
#basicConstraints = critical,CA:true
basicConstraints = CA:true

Notable parts are:

• CN where we declare our purpose for this certificate
• basicConstraints = CA:true which indicates that this request should be for a CA

To create the CA we use the all-in-one request and certificate form that we used to create a self-signed certificate:

openssl genrsa -out root-ca.key
openssl req -new -sha256 -x509 -key root-ca.key -out root-ca.crt -config root-ca.cnf

Where root-ca.cnf is a file containing the above configuration commands

Checking

Finally, check the certificate to see what we've got:

openssl x509 -noout -in root-ca.crt -text -purpose

Note that the Issuer and the Subject are the same and that the certificate can be used for any purpose.

SHA256

Again, check your certificate reports:

Signature Algorithm: sha256WithRSAEncryption