Creating a root CA certificate
  1. guides
  2. en
  3. Administrator's Guide
  4. Managing certificates
  5. Managing certificates using OpenXPKI Certificate Authority through EST
  6. Configuring OpenXPKI CA manually
  7. Creating a root CA certificate

Creating a root CA certificate

You can create a self‑signed root CA certificate, or generate a certificate request and then get it signed by the root CA.
Replace the key length, signature algorithm, and certificate name with the appropriate values.
  1. Run the following command:
    openssl genrsa -out /etc/certs/openxpki_democa/ca-root-1.key -passout file:/etc/certs/openxpki_democa/pd.pass 4096
  2. Replace the subject in the request with your CA information using
    openssl req -new -key /etc/certs/openxpki_democa/ca-root-1.key -out /etc/certs/openxpki_democa/ca-root-1.csr
    .
  3. Get the certificate signed by the root CA using
    openssl req -config /etc/certs/openxpki_democa/openssl.conf -extensions v3_ca_extensions - x509 -days 3560 -in /etc/certs/openxpki_democa/ca-root-1.csr -key /etc/certs/openxpki_democa/ca-root-1.key -out /etc/certs/openxpki_democa/ca-root-1.crt - sha256
    .
  4. Go to
    /etc/certs/openxpki_democa/
     where
    ca-root-1.crt
     is saved.
  5. Run the following command:
    openxpkiadm certificate import --file ca-root-1.crt

This site uses cookies for various purposes including enhancing your experience, analytics, and ads. By continuing to browse this site or by clicking "Accept and close", you agree to our use of cookies. For more information, read our Cookies page.