Prerequisite: Set up OpenSSL

The procedures in this section assume that you have installed and set up the OpenSSL toolkit.

If you are using a commercial root CA, you may not need to install the OpenSSL toolkit. Contact your commercial root CA for details on how to obtain a signed certificate. They may provide you with their own procedure for obtaining a signed certificate.

To install and set up OpenSSL:

Install the OpenSSL toolkit:

On Windows

The OpenSSL toolkit used in this section was downloaded from the following URL:

https://www.openssl.org/

Download and extract the latest version of the toolkit. The procedures in this section assume that the toolkit was extracted to the C:\openssl directory.

On Linux

Run the following command:
```
yum install openssl
```
Follow the instructions provided.
When OpenSSL is installed, create the openssl directory in your home directory.
For example:
```
/home/cmsadmin/openssl
```

Open a command prompt and go to the openssl directory.
For example:
```
(Windows) cd C:\openssl
(Linux) cd /home/cmsadmin/openssl
```

In the openssl directory, create the openssl.cnf file and add the following content:

#
# OpenSSL configuration file.
#

# Establish working directory.

dir   = ./CA

[ ca ]
default_ca  = CA_default

[ CA_default ]
serial   = $dir/serial
database  = $dir/index.txt
new_certs_dir  = $dir/newcerts
certificate  = $dir/newcerts/textml_root_cert.pem
private_key  = $dir/private/textml_root_privatekey.pem
default_days  = 365
default_md  = md5
preserve  = no
email_in_dn  = no
nameopt   = default_ca
certopt   = default_ca
policy   = policy_match

[ policy_match ]
countryName  = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

[ req ]
default_bits  = 1024   # Size of keys
default_keyfile  = key.pem  # name of generated keys
default_md  = md5   # message digest algorithm
string_mask  = nombstr  # permitted characters
distinguished_name = req_distinguished_name
req_extensions  = v3_req

[ req_distinguished_name ]
# Variable name    Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress  = Email Address
emailAddress_max = 40
localityName  = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName  = Country Name (2 letter code)
countryName_min  = 2
countryName_max  = 2
commonName  = Common Name (hostname, IP, or your name)
commonName_max  = 64

# Default values for the above, for consistency and less typing.
# Variable name     Value
#------------------------------   ------------------------------
0.organizationName_default = Company name
localityName_default  = City name
stateOrProvinceName_default = state_province_name
countryName_default  = CA

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

In the openssl directory, create the CA directory.
This directory will contain the certificates, private keys, and database.
For example:
```
mkdir CA
```
In the CA directory, create the following two directories:
Option Description
newcerts Will contain the certificates
private Will contain the private keys
For example:
```
cd CA
mkdir newcerts
mkdir private
```
In the CA directory, create an empty index.txt file.
This file will contain the database of certificates.
In the CA directory, create a file called serial that contains the string 01, as follows:
```
echo 01 > serial
```
This is required to name the new generated certificates.

Option	Description
`newcerts`	Will contain the certificates
`private`	Will contain the private keys

You are now ready to obtain a signed certificate.