This assumes you have already followed the article on how to create a private key, certificate signing request (csr), and public certificate using OpenSSL on Linux.
The first step is to create the root certificate authority private key. As the name implies, a private key is private, and should never ever be made public.
Move to the /etc/pki/tls/private directory and create the root CA private key. In this example, the private key will be named rootCA.key and have a 2048-bit RSA algorithm.
~]# cd /etc/pki/tls/private ~]# openssl genrsa -out rootCA.key 2048
Ensure only root can read the private key file.
~]# chmod 400 rootCA.key
Public Certificate (aka X.509)
The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.
Create the root certificate authority public certificate.
~]# cd /etc/pki/tls/certs ~]# openssl req -x509 -new -nodes -key /etc/pki/tls/private/rootCA.key -sha256 -days 365 -out rootCA.pem
Create public certificates to the root certificate
Numeous "child" public certificates can be created inside of the root CA.
Create a "child" public certificate in the root CA.
~]# cd /etc/pki/tls/certs ~]# openssl x509 -req -days 365 -in /etc/pki/tls/ldap.csr -CA /etc/pki/tls/certs/rootCA.pem -CAkey /etc/pki/tls/private/rootCA.key -CAcreateserial -out /etc/pki/tls/certs/example.com.crt -sha256