Table of Contents / Create the Root Certificate
The root key is private (*.key) and should be kept absolutely secure (usually on an air gapped machine).
Note: that paths to all the certificates must be correct (the repository should be cloned into C:\Certificates) otherwise you will have to re-path all the files used in this installation.
Open a command window and cd into the Root CA folder
cd C:\Certificates\DoD\CA
Use the following command to create the private key:
openssl genrsa -aes256 -out private/rootca.key
Follow the prompts to create a password for the private key. Do not lose this password! There is no password reset.
Use the following command to create the public certificate:
openssl req -config rootca.cnf -key private/rootca.key -new -x509 -days 7305 -sha256 -extensions v3_ca -out public/rootca.cer
Enter the password for the private key you are using
on all the prompts to use the defaultsNote: Use something similar to
for the common name.(It's important you remember the settings you enter on the
Root CA
because some of theIntermediate CA
settings will have to match exactly) -
You can verify the root ca by using the following command:
openssl x509 -noout -text -in public/rootca.cer
Since it is self-signed, it should have all the default values (or the values you entered in the Issuer and Subject).
C = US ST = GA L = Fort Benning O = U.S. Government OU = DoD OU = USASOC OU = 75RR CN = MOCK DoD Root CA, emailAddress =
Key Usage is
Digital Signature
,Certificate Sign
, andCRL Sign
Next: Import the Root CA into the client
Table of Contents / Create the Root Certificate