Create a Mutual Authentication root certificate

To properly configure Mutual Authentication, you need to create a root certificate that you want to use to create and validate client certificates.

Before you begin

  • Make sure your environment meets the minimum requirements to complete this procedure. See System requirements.
  • Prepare a CA root certificate configuration file.
    An example of content in a root.conf file
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    x509_extensions	= v3_ca
    # subject distinguished name
    distinguished_name = dn
    # country
    C = US
    # state
    ST = Massachusetts
    # city
    L = Cambridge
    # organization
    O = Organization
    # organization unit
    OU = IoT
    # email
    emailAddress =
    # common name
    CN =
    # subject alternative name
    subjectAltName = @alt_names
    # netscape comment
    nsComment = "This is netscape comment"
    [ v3_ca ]
    basicConstraints = CA:true
    DNS.1 =

All the files used in the task are in the same directory. The commands use these variables for the file names:
  • root.conf is the configuration file for the CA root certificate.
  • rootCA.crt is the CA root certificate you previously created.
  • rootCA.key is the CA root private key that you previously created.

How to

  1. Create a certificate key for your domain.
    You can use the following command: openssl genrsa -des3 -out rootCA.key 4096
    A rootCA.key appears in your current directory.
  2. Using your CA root certificate key and the CA root configuration file, generate the CA root certificate.
    Make sure to set the basicConstraints value in the root.conf file to CA:true. This value indicates whether a certificate is a CA certificate.
    You can use the following command: openssl req -x509 -config root.conf -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
    A rootCA.crt file appears in your current directory.
  3. Upload the Mutual Authentication root certificate.