CA.pl -newcert (openssl req -config /etc/openssl.cnf -new -x509 -keyout newreq.pem \ -out newreq.pem -days 365) |
creates a self signed certificate (for Certificate Authority). The resulting file goes into newreq.pem. For the common Name (CN) use something like “ACME root Certificate”. This file needs to be split into 2 files cacert.pem and private/cakey.pem. The part -RSA PRIVATE KEY- goes into private/cakey.pem while the part -CERTIFICATE- goes into cacert.pem. Delete newreq.pem when finished.
Now ensure that the file index.txt is empty and that the file serial contains 01.
You may want to increase the number of days so that your root certificate and all the certificates signed by this root does not have to be changed when the root certificate expires. I think professional companies work over 5 years to 10 years for their root certificates.
openssl req -config /etc/openssl.cnf -new -x509 -keyout private/cakey.pem \ -out cacert.pem -days 3650 |
This last command is better than “CA.pl -newcert” as it will place the files in the required locations and create a root CA valid for 10 years.
Now ensure that this self signed root certificate is used only to sign other certificates. The private key is highly sensible, never compromise it, by removing the passphrase that protects it. Some people will place the private key on a floppy and will load it only when signing other certificates. If you computer gets hacked they can't physically get hold of the private key, if it is on a floppy.
Now you have a root Certification Authority. Other people need to trust your self-signed root CA Certificate, and therefore download it and register it on their browser.
You will have to type the passphrase each time you want to sign another certificate with it.