Generating an RSA key self-signed root CA

  1. Generate a key pair for the root CA, whose key size is 2048:
    OpenSSL> genrsa -out rootca-keypair.pem 2048
  2. Generate a self-signed root CA cert with the rootca-openssl.cnf config file. The signature digest is sha512:
    OpenSSL> req -config rootca-openssl.cnf -new -x509 -key rootca-keypair.pem 
    -out rootca-cert.pem -extensions v3_req -days 3650 -sha512
  3. Convert the cert format from PEM to DER:
    OpenSSL> x509 -inform PEM -in rootca-cert.pem -outform DER -out rootca-cert.der
  4. Encrypt the root CA private key to DER. Set the password to 111112Aa.
    OpenSSL> pkcs8 -topk8 -in rootca-keypair.pem -inform PEM -outform DER -out 
    enc-rootca-key.der -passout pass:111112Aa -v1 PBES2 -v2prf hmacWithSHA512 -iter 4096