This procedure describes how to create a root certificate, which determines that you are
a valid authority and are allowed to sign certificates.
This procedure creates the following two files:
- textml_root_cert.pem: Certificate Authority (CA) root
certificate
- textml_root_privatekey.pem: Private key specific to the
TEXTML Server root CA; you will need this key to sign the CSR
Store your CA root certificate and private key in a safe location
since you will need these files if you need to re-sign your
certificate (for example, when it expires). Ideally, you should not
store these files on the TEXTML Server. |
To create a root certificate:
-
In the
openssl
directory, run the following command:
openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem
-out ./CA/newcerts/textml_root_cert.pem -days <number_of_days> -config ./openssl.cnf
Where:
<number_of_days>
: Specifies how long the root
certificate is valid, in days
For
example:
openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem
-out ./CA/newcerts/textml_root_cert.pem -days 365 -config ./openssl.cnf
The following message is
displayed:
Enter PEM pass phrase:
-
Enter a passphrase to protect the CA certificate and press
Enter.
The following message is
displayed:
Verifying - Enter PEM pass phrase:
-
Enter the passphrase again and press Enter.
-
Enter the information requested, as follows:
Name | Description |
---|
Organization Name |
Exact legal name of your organization.
For example, ACME |
Organizational Unit Name |
Section of the organization. Optional.
For example, Technical
Publications . |
Email Address |
Email address for the certificate. Optional.
For example, administrator@acme.com . |
Locality Name |
City where your organization is located.
For example, Montreal . |
State or Province Name |
State or province where your organization is located.
For example, Quebec . |
Country Name |
Two-letter ISO code for your country.
For example, CA .
For the detailed list, see the following URL:
http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 |
Common Name |
Fully qualified domain name (FQDN) of the TEXTML Server. This must be the exact URL.
For example, dita-textml.acme.local . |
The root CA and private key files are created.