Create a root certificate

This procedure describes how to create a root certificate, which determines that you are a valid authority and are allowed to sign certificates.

This procedure creates the following two files:

  • textml_root_cert.pem: Certificate Authority (CA) root certificate
  • textml_root_privatekey.pem: Private key specific to the TEXTML Server root CA; you will need this key to sign the CSR
Store your CA root certificate and private key in a safe location since you will need these files if you need to re-sign your certificate (for example, when it expires). Ideally, you should not store these files on the TEXTML Server.
To create a root certificate:
  1. In the openssl directory, run the following command:
    openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem 
    -out ./CA/newcerts/textml_root_cert.pem -days <number_of_days> -config ./openssl.cnf
    • <number_of_days>: Specifies how long the root certificate is valid, in days
    For example:
    openssl req -new -x509 -extensions v3_ca -keyout ./CA/private/textml_root_privatekey.pem 
    -out ./CA/newcerts/textml_root_cert.pem -days 365 -config ./openssl.cnf
    The following message is displayed:
    Enter PEM pass phrase:
  2. Enter a passphrase to protect the CA certificate and press Enter.
    The following message is displayed:
    Verifying - Enter PEM pass phrase:
  3. Enter the passphrase again and press Enter.
  4. Enter the information requested, as follows:
    Organization Name Exact legal name of your organization.

    For example, ACME

    Organizational Unit Name Section of the organization. Optional.

    For example, Technical Publications.

    Email Address Email address for the certificate. Optional.

    For example,

    Locality Name City where your organization is located.

    For example, Montreal.

    State or Province Name State or province where your organization is located.

    For example, Quebec.

    Country Name Two-letter ISO code for your country.

    For example, CA.

    For the detailed list, see the following URL:

    Common Name Fully qualified domain name (FQDN) of the TEXTML Server. This must be the exact URL.

    For example, dita-textml.acme.local.

The root CA and private key files are created.