Choose a directory to be the root for this CA. All paths will be relative to it.
Create your local configuration for this CA. E.g. edit ca.conf:
[ca]
default_ca = default
[default]
dir = .
certs = $dir
new_certs_dir = $dir/db.certs
database = $dir/db.index
serial = $dir/db.serial
certificate = $dir/root.crt
private_key = $dir/root.key
default_days = 365
default_crl_days = 30
# Remember to have the CSR request generated using the same digest, e.g.
# openssl req -new -sha256 -key foo.key -out foo.csr
default_md = sha256
preserve = no
RANDFILE = $dir/db.random
policy = default_policy
# Use with caution: copy all requested (X509) extensions into certificate!
#copy_extensions = copy
[default_policy]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optionalInitialize directory, before signing any CSR request:
mkdir -p db.certs input output
touch db.index
echo "01" > db.serial
Generate randfile:
dd if=/dev/urandom of=db.random bs=256 count=1
Of course, we should also place our CA's key and (maybe self-signed) certificate here.
openssl -config ca.conf -in input/foo.csr -output/foo.crt