Using OpenSSL to Create a CA Certificate

Log in to a Linux server with OpenSSL installed.
Create the cert_v3 directory and enter the directory.
```
mkdir cert_v3
cd cert_v3
```
Create a working directory and enter the directory.
```
mkdir ca
cd ca
```

Create the OpenSSL configuration file ca_cert.conf for the CA certificate. The file content is as follows:

[ req ]
 distinguished_name     = req_distinguished_name 
 prompt                 = no  

[ req_distinguished_name ]  
 O                      = mxManufacture
 CN                     = xxx.huawei.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

The CN and DNS fields can be changed to the domain name or IP address of the server as required.

xxx.huawei.com is for reference only. Change xxx based on the site requirements, for example, mxmanufacture.huawei.com.

Create the private key file ca.key of the CA certificate.
```
openssl genrsa -aes256 -out ca.key 4096
```
Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters.

Create the CSR request file ca.csr of the CA certificate.

openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf

Create the self-signed CA certificate ca.crt.

openssl x509 -req -in ca.csr -out ca.crt -sha256 -days 1000 -extfile ./ca_cert.conf -extensions v3_ca -signkey ca.key

Parent topic: Self-signed Certificate Creation Methods