Specific to private deployment

Generate root CA key and certificate

Before you begin

If your company has a root certificate authority (CA) certificate available already, and if the root CA certificate has already been imported into your browser, you can skip this procedure and the next section and go straight to Generate RBA server key and certificate request.

Log in to the system that you want to use for certificate management. If you intend to use the internal certificate authority (CA) for more than just testing purposes, make sure to establish proper security measurements. Ideally, the system used should have no internet access and possibly not even any network access.


  1. Create the root CA directory:
    mkdir -p /root/internalca
    cd /root/internalca
  2. Generate the private key of the root CA:
    openssl genrsa -out rootCAKey.pem 2048
  3. Generate the self-signed root CA certificate:
    openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem
    In this example, the validity period is 3650 days. Set the appropriate number of days for your company. Make a reminder to renew the certificate before it expires.
  4. Review the certificate:
    openssl x509 -in rootCACert.pem -text