How to create a root certificate authority using OpenSSL on Linux

Home > Search > How-to

This assumes you have already followed the article on how to create a private key, certificate signing request (csr), and public certificate using OpenSSL on Linux.

Private Key

The first step is to create the root certificate authority private key. As the name implies, a private key is private, and should never ever be made public.


Move to the /etc/pki/tls/private directory and create the root CA private key. In this example, the private key will be named rootCA.key and have a 2048-bit RSA algorithm.

~]# cd /etc/pki/tls/private
~]# openssl genrsa -out rootCA.key 2048


Ensure only root can read the private key file.

~]# chmod 400 rootCA.key


Public Certificate (aka X.509)

The public certificate is what is provided to the clients. There is a mathmatical relationship between the public certificate and private key. Both are needed in order for encryption to work.


Create the root certificate authority public certificate.

~]# cd /etc/pki/tls/certs
~]# openssl req -x509 -new -nodes -key /etc/pki/tls/private/rootCA.key -sha256 -days 365 -out rootCA.pem


Create public certificates to the root certificate

Numeous "child" public certificates can be created inside of the root CA.


Create a "child" public certificate in the root CA.

~]# cd /etc/pki/tls/certs
~]# openssl x509 
    -days 365 
    -in /etc/pki/tls/ldap.csr 
    -CA /etc/pki/tls/certs/rootCA.pem 
    -CAkey /etc/pki/tls/private/rootCA.key 
    -out /etc/pki/tls/certs/ 


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.