About

A root certificate is a CA certificate that is located at the top of the certificate chain.

A root ca is a certificate authority certificate that is self signed.

Example: Root CA to sign client certificate

This example shows you how to create a root ca to sign client certificate (because of the config pathlen:0). It's used in the article: How to configure certification based client authentication with Nginx ?

If you want to be your own CA, this sections show you how to create a root CA certificate.

It will create:

• a private key
• and a self-signed certificate

The config file with:

• the name DN of your organisation
• the basicConstraints extension set to true
• and the usage (extendedKeyUsage) set to signing of server or client certificate

[ req ]
# Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`)
distinguished_name	= req_distinguished_name
# does not prompt for dn fields
prompt			= no

# Extension to add when the -x509 option is used (certificate creation in one pass)
x509_extensions     = ca_certificate_extensions

# Default md (message digest to use for the hash/fingerprint) 
# option: SHA-1 is deprecated, so use SHA-2 family instead
# TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm
# https://support.apple.com/en-us/HT210176
default_md          = sha256

[ req_distinguished_name ]
# CN used to create the CA root
C			= YourCountry
O			= YourOrganisationFullName
CN			= YourOrganisationName

[ ca_certificate_extensions ]

# A CA certificate must contains: CA: true
# pathlen: 0 - the certificate can only be used to sign end user certificates and not further CAs.
basicConstraints = critical, CA:true, pathlen:0

# Key Usage
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Used to sign server or client auth
extendedKeyUsage=serverAuth, clientAuth

# as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

• With the one liner to generate a self signed root certificate and the private key ¹⁾

openssl req \
    -x509 `# Ask a certification` \
    -newkey rsa:2048 `# Ask a rsa private key of size 2048 bit` \
    -nodes `# don't encrypt the private key` \ 
    -keyout root_private_key.pem `# the name if the private key file` \
    -out root_certificate.pem `# the name of the root certificate ` \ 
    -config ca.ini  `# the DN information for the certificate request` \
    -sha256 `# sha2 family required by apple https://support.apple.com/en-us/HT210176 ` \
    -days 1460 `# 5 ans as seen on the root certificate `

• Output:

Generating a RSA private key
..............................................+++++
..............................................+++++
writing new private key to 'root_private_key.pem'
-----