Create self-signed root CA

After installing openSSL, we have to ad openssl/bin path to the system variable so we can run openssl.exe anywhere.

click on the 'path' variable and press Edit button.

Now, open up command prompt and type 'openssl' and hit enter. If you set the correct path you can see the path get change to OpenSSL> _

 

    

Now we have to set the path to 'openssl.cnf ' file. It can be done by creating new system variable. Variable name must be 'OPENSSL_CONF' and the path should be directed to 'C:\Program Files (x86)\GnuWin32\share' which is where the 'openssl.cnf ' is located

 

Now create new folder anywhere you wish to and go inside the folder using command prompt.  

 

Now type 'openssl' command and hit enter to begin the root CA creation.

 

First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
genrsa -out ca.key 4096

 

Go to folder you created for certificate generation and check root CAs key is generated. 

Next, we create our self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA: I have taken screen shot of every step. You can use your own parameters.
req -new -x509 -days 1826 -extensions v3_ca -key ca.key -out ca.crt

 

After completing the  command, you see ca.crt (certificate) is generated.

 

Some of details in root CA Certificate.

 

The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.

Next step: create our subordinate CA.

Share on Google Plus

About Mahinda Jayasundara

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.