Generating an RSA key self-signed root CA
-
Generate a key pair for the root CA, whose key size is
2048:
OpenSSL> genrsa -out rootca-keypair.pem 2048
-
Generate a self-signed root CA cert with the rootca-openssl.cnf config file. The signature
digest is
sha512
:OpenSSL> req -config rootca-openssl.cnf -new -x509 -key rootca-keypair.pem -out rootca-cert.pem -extensions v3_req -days 3650 -sha512
-
Convert the cert format from PEM to DER:
OpenSSL> x509 -inform PEM -in rootca-cert.pem -outform DER -out rootca-cert.der
-
Encrypt the root CA private key to DER. Set the password to
111112Aa
.OpenSSL> pkcs8 -topk8 -in rootca-keypair.pem -inform PEM -outform DER -out enc-rootca-key.der -passout pass:111112Aa -v1 PBES2 -v2prf hmacWithSHA512 -iter 4096