Creating the Certificate Authority Key and Certificate

Organizations that do not have existing CA infrastructure can obtain a CA private key and certificate through a well-known, external service, such as VeriSign™, or execute the following procedure to generate their own CA private key and certificate.

#openssl req -x509 -days 365 -newkey rsa:1024 -keyout /tmp/root_key.pem -out /tmp/root_req.pem

Generating a 1024 bit RSA private key



writing new private key to '/tmp/root_key.pem'

Enter PEM pass phrase:Trend


You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [GB]:DE

State or Province Name (full name) [Berkshire]:Bavaria

Locality Name (eg, city) [Newbury]:Munich

Organization Name (eg, company) [My Company Ltd]: Trend Micro

Organizational Unit Name (eg, section) []:Global Training

Common Name (eg, your name or your server's host name) []:EF

Email Address []

After the completion of this procedure, the /tmp/root_key.pem file contains the private key encrypted with the “Trend” password. The /tmp/root_key.pem file contains the self-signed certificate that must be distributed to all clients and servers. Both are stored in the PEM-format.


The Organization (O) field for the CA and key owners must be the same.

After obtaining a CA private key and certificate:

  • Deploy the CA certificate on all servers.

  • Have all certificates issued in your organization signed by the CA.