Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Create a Root Certification Authority Certificate.
SSL Certificates HOWTO
PrevChapter 2. Certificate ManagementNext

2.2. Create a Root Certification Authority Certificate.

CA.pl -newcert 
(openssl req -config /etc/openssl.cnf-new -x509 -keyout newreq.pem -out newreq.pem -days 365)

creates a self signed certificate (for Certificate Authority). The resulting file goes into newreq.pem. For the common Name (CN) use something like “ACME root Certificate”. This file needs to be split into 2 files cacert.pem and private/cakey.pem. The part -PRIVATE KEY- goes into private/cakey.pem while the part -CERTIFICATE- goes into cacert.pem. Delete newreq.pem when finished.

Now ensure that the file index.txt is empty and that the file serial contains 1.

You may want to increase the number of days so that your root certificate and all the certificates signed by this root does not have to be changed when the root certificate expires. I think professional companies work over 5 years for their root certificates. 

openssl req -config /etc/openssl.cnf-new -x509 -keyout newreq.pem -out newreq.pem -days 1825

Now ensure that this self signed root certificate is used only to sign other certificates. The private key is highly sensible, never compromise it, by removing the passphrase that protects it.

Now you have a root Certification Authority. Other people need to trust your self-signed root CA Certificate, and therefore download it and register it on their browser.

You will have to type the passphrase each time you want to sign another certificate with it.

PrevHomeNext
InstallationUpCreate a non root Certification Authority Certificate.