You've already forked docs
40 lines
1.2 KiB
Markdown
40 lines
1.2 KiB
Markdown
|
# Create the Root CA
|
||
|
|
|
||
|
|
The Root CA is the *root* of the trust tree. This will be used to create other Intermediate CAs ***ONLY***
|
||
|
|
|
||
|
|
### Create directories, serial file, and index file for the Root CA
|
||
|
|
|
||
|
|
```
|
||
|
|
mkdir -p /path/to/root_ca/{bundles,certs,csr,crl,newcerts,private}
|
||
|
|
chmod 700 private
|
||
|
|
touch index.txt
|
||
|
|
echo 1000 > serial
|
||
|
|
```
|
||
|
|
|
||
|
|
### Create the configuration for signing
|
||
|
|
|
||
|
|
Copy the [root.cnf](./root.cnf) set the location of the root-ca.key and root-ca.crt for the private_key and certificate options and the `dir` option. This will make it where you don't have to specify the certificate and key when signing certificates
|
||
|
|
|
||
|
|
### Create Root CA key
|
||
|
|
|
||
|
|
```
|
||
|
|
cd root_ca
|
||
|
|
openssl genrsa -aes256 -out private/root-ca.key 4096
|
||
|
|
chmod 400 private/root-ca.key
|
||
|
|
```
|
||
|
|
|
||
|
|
### Signing Root CA certificate
|
||
|
|
|
||
|
|
```
|
||
|
|
openssl req -config root.cnf -key private/root-ca.key -new -x509 -days 7300 -extensions v3_ca -out certs/root-ca.crt
|
||
|
|
chmod 444 certs/root-ca.crt
|
||
|
|
```
|
||
|
|
|
||
|
|
### Verify root cert (cert will be encoded so the below command is necessary)
|
||
|
|
|
||
|
|
```
|
||
|
|
openssl x509 -noout -text -in certs/root-ca.crt
|
||
|
|
```
|
||
|
|
|
||
|
|
***THE ONLY CERTIFICATES TO BE SIGNED WITH THE ROOT CA ARE CERTIFICATES FOR INTERMEDIATE CAs***. Now the [Intermediate CA](./intermediate_ca_config.md) (or any number of Intermediate CAs) can be created.
|