Generating an RSA key customer certificate

To generate a customer certificate request and sign it with the root CA:

  1. Generate a key pair for the customer CA with the key size 2048:
    OpenSSL> genrsa -out Customer-keypair.pem 2048
  2. Generate the Customer cert request with the Customer-openssl.cnf config file:
    OpenSSL> req -config Customer-openssl.cnf -key Customer-keypair.pem 
    -new -out Customer-req.pem
  3. Sign the certificate request with the root CA. The signature digest is sha512
    OpenSSL> x509 -req -in Customer-req.pem -out Customer-cert.pem -extfile Customer-openssl.cnf 
    -extensions v3_req -CA rootca-cert.pem -CAkey rootca-keypair.pem -CAcreateserial -days 365 -sha512
  4. Convert the Customer cert format from PEM to DER:
    OpenSSL> x509 -inform PEM -in Customer-cert.pem -outform DER -out Customer-cert.der
  5. Encrypt the Customer private key and convert its format from PEM to DER:
    OpenSSL> pkcs8 -topk8 -inform PEM -in Customer-keypair.pem -outform DER -out enc-Customer-key.der 
    -passout pass:111111Aa -v1 PBES2 -v2prf hmacWithSHA512 -iter 4096