Security Tip #1 - Generating your own root CA certificate

If you are interested in creating your own root CA certificate then read on.

The command line below will generate a root CA certificate (who by their nature are self-signed) with a keysize of 8192 and using the RSA key algorithm and a lifetime of 365 days from the time you issue the command.

Additional we say this certificate is a root CA certificate that will be used for certificate and revocation list signing.

    keytool -keystore my-ca.jks -genkeypair 
     -alias my-ca -dname "CN=My CA"   
     -keyalg rsa -keysize 8192 -validity 365 -noprompt 
     -ext BasicConstraints:critical=CA:true
     -ext KeyUsage:critical=keyCertSign,cRLSign

As we know that we will need to import the root CA certificate we will generate a PEM file for it.

    keytool -exportcert -keystore my-ca.jks -rfc 
     -alias my-ca > my-ca.pem 

In the next blog entry we will create an intermediate CA so we can keep the root CA keystore safe.

Posted August 1, 2015