Create a root certificate

You can create a root certificate, which determines that you are a valid authority and are allowed to sign certificates.

About this task

Important: Store your CA root certificate and private key in a safe location since you will need these files if you need to re-sign your certificate when it expires. It's best if you store these files somewhere safe other than the TEXTML Server.

When you create a root certificate, the process creates two files.

  • textml_root_cert.pem is the Certificate Authority (CA) root certificate
  • textml_root_privatekey.pem is the private key, specific to the TEXTML Server root CA, that you need in order to sign the CSR
To create a root certificate:

Procedure

  1. In the openssl directory, run the following command:
    openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem 
    -out ./CA/newcerts/textml_root_cert.pem -days <number_of_days> -config ./openssl.cnf
    Where:
    • <number_of_days>: Specifies how long the root certificate is valid, in days
    Such as:
    openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem 
    -out ./CA/newcerts/textml_root_cert.pem -days 365 -config ./openssl.cnf
  2. In the resulting message, enter a PEM pass phrase to protect the CA certificate and press Enter.
  3. In the resulting verification message, enter the PEM pass phrase again and press Enter.
  4. Enter the requested information.

    Name

    Description

    Organization Name

    Exact legal name of your organization.

    Example: ACME

    Organizational Unit Name

    Section of the organization.

    Example: Technical Publications.

    Email Address

    Email address for the certificate.

    Example: administrator@acme.com.

    Locality Name

    City where your organization is located.

    Example: Los Angeles.

    State or Province Name

    State or province where your organization is located.

    Example: California.

    Country Name

    Two-letter ISO code for your country.

    Example: US.

    See http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

    Common Name

    Fully qualified domain name (FQDN) of the TEXTML Server. This must be the exact URL.

    Example: dita-textml.acme.local.

Results

The root CA and private key files are created. The next sub-step is to create a CSR. See Create a Certificate Signing Request (CSR)