About
A root certificate is a CA certificate that is located at the top of the certificate chain.
A root ca is a certificate authority certificate that is self signed.
Example: Root CA to sign client certificate
This example shows you how to create a root ca to sign client certificate (because of the config pathlen:0). It's used in the article: How to configure certification based client authentication with Nginx ?
If you want to be your own CA, this sections show you how to create a root CA certificate.
It will create:
- a private key
- and a self-signed certificate
The config file with:
[ req ]
# Options for the `req` tool: PKCS#10 certificate request and certificate generating utility. (`man req`)
distinguished_name = req_distinguished_name
# does not prompt for dn fields
prompt = no
# Extension to add when the -x509 option is used (certificate creation in one pass)
x509_extensions = ca_certificate_extensions
# Default md (message digest to use for the hash/fingerprint)
# option: SHA-1 is deprecated, so use SHA-2 family instead
# TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm
# https://support.apple.com/en-us/HT210176
default_md = sha256
[ req_distinguished_name ]
# CN used to create the CA root
C = YourCountry
O = YourOrganisationFullName
CN = YourOrganisationName
[ ca_certificate_extensions ]
# A CA certificate must contains: CA: true
# pathlen: 0 - the certificate can only be used to sign end user certificates and not further CAs.
basicConstraints = critical, CA:true, pathlen:0
# Key Usage
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Used to sign server or client auth
extendedKeyUsage=serverAuth, clientAuth
# as seen https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html under v3_ca example
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
- With the one liner to generate a self signed root certificate and the private key 1)
openssl req \
-x509 `# Ask a certification` \
-newkey rsa:2048 `# Ask a rsa private key of size 2048 bit` \
-nodes `# don't encrypt the private key` \
-keyout root_private_key.pem `# the name if the private key file` \
-out root_certificate.pem `# the name of the root certificate ` \
-config ca.ini `# the DN information for the certificate request` \
-sha256 `# sha2 family required by apple https://support.apple.com/en-us/HT210176 ` \
-days 1460 `# 5 ans as seen on the root certificate `
- Output:
Generating a RSA private key
..............................................+++++
..............................................+++++
writing new private key to 'root_private_key.pem'
-----