Creating a Certificate Authority (CA) Certificate
Creating a Certificate Authority Certificate
The first step in creating a certificate hierarchy is creating the root Certificate Authority (CA) certificate. The CA certificate is used to issue user certificates.
A certificate is created by creating a certificate request and then having the CA validate and sign the certificate. Since we are creating a root CA certificate, there is no CA to sign the certificate request, so instead a self-signed certificate is created and the CA flag is set.
The following Universal Certificate command creates:
- Certificate request, which it writes it to file req.pem
- Private key, which it writes it to file cakey.pem
ucert -create request -request_file req.pem -private_key_file cakey.pem -country US -state Maryland -locality Baltimore -organization "Acme, Inc." -common_name "Acme CA"
It is imperative that the private key file cakey.pem is secured so that no one other than the CA has read access. If unauthorized access is gained to the CA's private key, all certificates issued by the CA no longer can be trusted.
The following Universal Certificate command creates the CA certificate and writes it to file cacert.pem.
ucert -create cert -request_file req.pem -cert_file cacert.pem -private_key_file cakey.pem -ca yes
The CA certificate, cacert.pem, must be made available to any system that wants to consider the certificates issued by the CA as valid.