Table of Contents / Create the Root Certificate
The root key is private (*.key) and should be kept absolutely secure (usually on an air gapped machine).
Note: that paths to all the certificates must be correct (the repository should be cloned into C:\Certificates) otherwise you will have to re-path all the files used in this installation.
-
Open a command window and cd into the Root CA folder
cd C:\Certificates\DoD\CA
-
Use the following command to create the private key:
openssl genrsa -aes256 -out private/rootca.key
-
Follow the prompts to create a password for the private key. Do not lose this password! There is no password reset.
-
Use the following command to create the public certificate:
openssl req -config rootca.cnf -key private/rootca.key -new -x509 -days 7305 -sha256 -extensions v3_ca -out public/rootca.cer
-
Enter the password for the private key you are using
-
Press
Enter
on all the prompts to use the defaultsNote: Use something similar to
MOCK DoD Root CA
for the common name.(It's important you remember the settings you enter on the
Root CA
because some of theIntermediate CA
settings will have to match exactly) -
You can verify the root ca by using the following command:
openssl x509 -noout -text -in public/rootca.cer
Since it is self-signed, it should have all the default values (or the values you entered in the Issuer and Subject).
C = US ST = GA L = Fort Benning O = U.S. Government OU = DoD OU = USASOC OU = 75RR CN = MOCK DoD Root CA, emailAddress = [email protected]
Key Usage is
Digital Signature
,Certificate Sign
, andCRL Sign
Next: Import the Root CA into the client
Table of Contents / Create the Root Certificate