Root certificate

Create a Mutual Authentication root certificate

To properly configure Mutual Authentication, you need to create a root certificate that you want to use to create and validate client certificates.

Before you begin

  • Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.

  • Prepare a CA root certificate configuration file.

An example of content in a root.conf file

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
x509_extensions= v3_ca
# subject distinguished name
distinguished_name = dn

[dn]
# country
C = US
# state
ST = Massachusetts
# city
L = Cambridge
# organization
O = Organization
# organization unit
OU = IoT
# email
emailAddress = test@email.com
# common name
CN = www.organization.test.com

[req_ext]
# subject alternative name
subjectAltName = @alt_names
# netscape comment
nsComment = "This is netscape comment"

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[alt_names]
DNS.1 = test.example.com

All the files used in the task are in the same directory. The commands use these variables for the file names:

  • root.conf is the configuration file for the CA root certificate.

  • rootCA.crt is the CA root certificate you previously created.

  • rootCA.key is the CA root private key that you previously created.

How to

  1. Create a certificate key for your domain.

    You can use the following command: openssl genrsa -des3 -out rootCA.key 4096.

    A rootCA.key appears in your current directory.

  2. Using your CA root certificate key and the CA root configuration file, generate the CA root certificate.

    Make sure to set the basicConstraints value in the root.conf file to CA:true. This value indicates whether a certificate is a CA certificate.

    You can use the following command: openssl req -x509 -config root.conf -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt.

    A rootCA.crt file appears in your current directory.

  3. Upload the Mutual Authentication root certificate.

Upload a Mutual Authentication root certificate

To use Mutual Authentication, you need to create a certificate set and connect it with your certificates in Certificate Provisioning System (CPS).

Before you begin, use mTLS Edge Truststore to create a certificate set. Follow mTLS Edge Truststore.

  1. Go to > CDN > Certificates.

  2. Select the certificate that you want to use for Mutual Authentication.

  3. From the certificate's Actions menu, select View and Edit Deployment Settings.

  4. In the Mutual Authentication section, click Edit.

  5. From the Certificate set menu, select a certificate set.

  6. Click Submit.

    Your certificate redeploys to the ​Akamai​ network with the new settings.