openssl req -new -x509 -days <days of validity> -key <your CA key name> -out <root CA certificate name> -config <config file name>
For example:
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
Create a new, self-signed X.509 certificate valid for ten years, for the keypair in the file root-ca.key, and place the output in the file root-ca.crt.
You are prompted to give identifying information for the certificate. Do not to use single quotes in the responses, due to a quirk in the Globus implementation. For example, don't use a common name like "Alice's CA". If you have customized the configuration file as suggested above, the defaults you specified there will make this step easier. The openssl req command recognizes that the request is for a self-signed certificate, and automatically applies suitable options, such as setting "CA:TRUE."
The default values as shown above in square brackets are from the configuration file. You can input any value or use the default. Provide a common name. Do not use an email address.
The following text is a sample output screen:
Enter pass phrase for root-ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name (full name) [SampleProvince]:Locality Name (eg, city) [Madison]:Organization Name (eg, company) [SampleOrg]:Second Organization Name (eg, company) [Computer Sciences Department]:Organizational Unit Name (eg, section) [INFA_sample Project]:Common Name (eg, YOUR name) []:<Any Name eg: MyRootCA> Email Address []:
