# Create the Root CA

The Root CA is the *root* of the trust tree. This will be used to create other Intermediate CAs ***ONLY***

### Create directories, serial file, and index file for the Root CA

```
mkdir -p /path/to/root_ca/{bundles,certs,csr,crl,newcerts,private}
chmod 700 private
touch index.txt
echo 1000 > serial
```

### Create the configuration for signing

Copy the [root.cnf](./root.cnf) set the location of the root-ca.key and root-ca.crt for the private_key and certificate options and the `dir` option. This will make it where you don't have to specify the certificate and key when signing certificates

### Create Root CA key

```
cd root_ca
openssl genrsa -aes256 -out private/root-ca.key 4096
chmod 400 private/root-ca.key
```

### Signing Root CA certificate

```
openssl req -config root.cnf -key private/root-ca.key -new -x509 -days 7300 -extensions v3_ca -out certs/root-ca.crt
chmod 444 certs/root-ca.crt
```

### Verify root cert (cert will be encoded so the below command is necessary)

```
openssl x509 -noout -text -in certs/root-ca.crt
```

***THE ONLY CERTIFICATES TO BE SIGNED WITH THE ROOT CA ARE CERTIFICATES FOR INTERMEDIATE CAs***. Now the [Intermediate CA](./intermediate_ca_config.md) (or any number of Intermediate CAs) can be created.