Generate Root CA certificate whose extensions are equivalent as DigiCert Global Root CA
This is the following article of My CA preparation supporting OCSP - Shammerism.
The first step is build up my own root CA. Article title includes
But root CA is simple because there is no need both CRL Distribution Points and AIA when root CA generating.
Those are required when sigining intermediate CA with a root CA certificate.
So, openssl config for generating root ca certificate are not required modification.
I generated root ca cert with the following conf file.
[ default ] dir = . name_opt = multiline,-esc_msb,utf8 distinguished_name = ca_dn prompt = no [ ca_dn ] countryName = "JP" stateOrProvinceName = "Kanagawa" localityName = "Yokohama" organizationName = "TotoRiotto" commonName = "TotoRiotto Root CA" [ req ] x509_extensions = x509_extensions [ x509_extensions ] keyUsage = critical,keyCertSign,cRLSign,digitalSignature basicConstraints = critical,CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always
Then, openssl command is below.
openssl req -x509 -config generate-root-ca.conf -sha256 -nodes -newkey rsa:2048 -keyout TotoRiottoRootCA/private/ca.key -out TotoRiottoRootCA/cacert.pem -days 3650
Next step is creating config file to generate intermediate CA certificate.