Passw0rd-rc@ Passw0rd-ic@ Passw0rd-svr [root@centos6 ~]# [root@centos6 ~]# cd /var/tmp [root@centos6 tmp]# [root@centos6 tmp]# openssl genrsa -aes256 -passout pass:Passw0rd-rc@ -out TrustMe_RCA.key 2048 Generating RSA private key, 2048 bit long modulus ...............................................................................................................................+++ .................................................+++ e is 65537 (0x10001) [root@centos6 tmp]# [root@centos6 tmp]# ls -l total 4 -rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key [root@centos6 tmp]# [root@centos6 tmp]# vi /etc/pki/tls/openssl.cnf [root@centos6 tmp]# [root@centos6 tmp]# tail -14 /etc/pki/tls/openssl.cnf [ ext_ca_custom ] # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer basicConstraints=CA:TRUE,pathlen:1 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, cRLSign extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [alt_names] DNS.1 = TrustMe Root CA G1 DNS.2 = TrustMe Root CA G2 [root@centos6 tmp]# [root@centos6 tmp]# openssl req -x509 -new -key TrustMe_RCA.key -sha256 -days 7300 -extensions ext_ca_custom -out TrustMe_RCA.crt Enter pass phrase for TrustMe_RCA.key: Passw0rd-rc@ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:SG State or Province Name (full name) []: Locality Name (eg, city) [Default City]:Singapore Organization Name (eg, company) [Default Company Ltd]:TrustMe, Inc. Organizational Unit Name (eg, section) []:(c) 2009 TrustMe, Inc. - for authorized use only Common Name (eg, your name or your server's hostname) []:TrustMe Root CA Email Address []: [root@centos6 tmp]# [root@centos6 tmp]# ls -l total 8 -rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt -rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key [root@centos6 tmp]#