Root Certificate

Certificate Validity Period Not Before Not After Portecle

About

A root certificate is a CA certificate that is located at the top of the certificate chain.

Certification Chain Path Chrome Dev

A root ca is a certificate authority certificate that is self signed.

Example: Root CA to sign client certificate

This example shows you how to create a root ca to sign client certificate (because of the config pathlen:0). It's used in the article: How to configure certification based client authentication with Nginx ?

If you want to be your own CA, this sections show you how to create a root CA certificate.

It will create:

The config file with:

[ req ]
# Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`)
distinguished_name	= req_distinguished_name
# does not prompt for dn fields
prompt			= no

# Extension to add when the -x509 option is used (certificate creation in one pass)
x509_extensions     = ca_certificate_extensions

# Default md (message digest to use for the hash/fingerprint) 
# option: SHA-1 is deprecated, so use SHA-2 family instead
# TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm
# https://support.apple.com/en-us/HT210176
default_md          = sha256

[ req_distinguished_name ]
# CN used to create the CA root
C			= YourCountry
O			= YourOrganisationFullName
CN			= YourOrganisationName

[ ca_certificate_extensions ]

# A CA certificate must contains: CA: true
# pathlen: 0 - the certificate can only be used to sign end user certificates and not further CAs.
basicConstraints = critical, CA:true, pathlen:0

# Key Usage
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Used to sign server or client auth
extendedKeyUsage=serverAuth, clientAuth

# as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
  • With the one liner to generate a self signed root certificate and the private key 1)
openssl req \
    -x509 `# Ask a certification` \
    -newkey rsa:2048 `# Ask a rsa private key of size 2048 bit` \
    -nodes `# don't encrypt the private key` \ 
    -keyout root_private_key.pem `# the name if the private key file` \
    -out root_certificate.pem `# the name of the root certificate ` \ 
    -config ca.ini  `# the DN information for the certificate request` \
    -sha256 `# sha2 family required by apple https://support.apple.com/en-us/HT210176 ` \
    -days 1460 `# 5 ans as seen on the root certificate `
  • Output:
Generating a RSA private key
..............................................+++++
..............................................+++++
writing new private key to 'root_private_key.pem'
-----





Discover More
Certificate Validity Period Not Before Not After Portecle
CA Certificate

A CA certificate is a certificate used by a certificate authority to sign certificate. In the chain, it's the Root certificate or the intermediate certificates. Most organizations create an intermediate...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Certificate Validity Period Not Before Not After Portecle
Identification Material - Certificate (or Public Key Certificate)

A certificate is a document which permits to define with certainty the owner of the private key (ensures that the party you are communicating with is whom you think.) because it's digitally signed A certificate...



Share this page:
Follow us:
Task Runner