Create a root certificate

To properly configure mutual authentication, you need to create a root certificate that you want to use to create and validate client certificates.

Before you begin

  • Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.

  • Prepare a CA root certificate configuration file.

An example of content in a root.conf file

default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
x509_extensions= v3_ca
# subject distinguished name
distinguished_name = dn

# country
C = US
# state
ST = Massachusetts
# city
L = Cambridge
# organization
O = Organization
# organization unit
OU = IoT
# email
emailAddress =
# common name
CN =

# subject alternative name
subjectAltName = @alt_names
# netscape comment
nsComment = "This is netscape comment"

[ v3_ca ]
basicConstraints = CA:true

DNS.1 =

All the files used in the task are in the same directory. The commands use these variables for the file names:

  • root.conf is the configuration file for the CA root certificate.

  • rootCA.crt is the CA root certificate you previously created.

  • rootCA.key is the CA root private key that you previously created.

How to

  1. Create a certificate key for your domain.

    You can use the following command: openssl genrsa -des3 -out rootCA.key 4096.

    A rootCA.key appears in your current directory.

  2. Using your CA root certificate key and the CA root configuration file, generate the CA root certificate.

    Make sure to set the basicConstraints value in the root.conf file to CA:true. This value indicates whether a certificate is a CA certificate.

    You can use the following command: openssl req -x509 -config root.conf -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt.

    A rootCA.crt file appears in your current directory.

  3. Upload the mutual authentication root certificate.