Create your own custom root CA with openssl

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA).

A certificate authority (CA) can issue multiple certificates in the form of a tree structure. A root certificate is the head certificate of the tree and the private key of which is used to “sign” other certificates. All certificates signed by the root certificate, with the CA field set to true, inherit the trustworthiness of the root certificate – a signature by a root certificate is somewhat analogous to “notarizing” identity in the physical world.

Generate Root CA:

openssl genrsa -des3 -out rootCA.key 4096

Let’s Request and self sign the Root Certificate (CA):

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 2048 -out rootCA.crt

Generate wildcard certificate (KEY):

openssl genrsa -out star.openthreat.ro.key 4096

Create signing (CSR) in one line with config:

openssl req -new -key star.openthreat.ro.key -out star.openthreat.ro.csr -config star.openssl.cnf

Verify CSR’s content:

openssl req -in star.openthreat.ro.csr -noout -text

Generate certificate using the star.openthreat.ro CSR and key along with the CA Root key with EXT file:

openssl x509 -req -in star.openthreat.ro.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out star.openthreat.ro.crt -days 1000 -sha256 -extfile star.openthreat.ro.ext

Verify new certificate content:

openssl x509 -in star.openthreat.ro.crt -text -noout

EXT file used in this example is the following:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.openthreat.ro

Need help with secure certificate management or enterprise PKI?
→ See our PKI Infrastructure Services