Skip to content

Root Certificate Authority

A Root Certificate Authority (Root CA) is the foundational entity in a Public Key Infrastructure (PKI) hierarchy. It acts as the "root of trust," responsible for issuing and signing digital certificates for subordinate entities, such as Intermediate CAs or end-entity servers^[600-developer__tools__security__openssl.md].

In asymmetric cryptography, a core challenge is the "Public key distribution problem": how can a user verify that a received public key genuinely belongs to the intended owner and has not been tampered with or substituted during transmission^[600-developer__tools__security__openssl.md]? The Root CA solves this by vouching for the identity of the key holder. If an input message or Digital Signature can be verified using the public key associated with a trusted Root CA, it proves that the message originated from the private key holder issued by that authority^[600-developer__tools__security__openssl.md].

Creating a Root CA with OpenSSL

In a development or testing environment, it is common to act as one's own CA using tools like OpenSSL. The process involves two main steps: generating a private key and then creating a self-signed certificate^[600-developer__tools__security__openssl.md].

  1. Generate the Private Key: A strong private key (typically RSA 4096-bit) is generated for the root authority. 

    [OpenSSL](<./openssl.md>) genrsa -des3 -out rootCA.key 4096
    This command creates a file named rootCA.key protected by a password (DES3)^[600-developer__tools__security__openssl.md].

  2. Generate the Self-Signed Certificate: A certificate is created that signs itself, establishing the authority's validity for a long duration. 

    [OpenSSL](<./openssl.md>) req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.crt
    This command uses the private key to generate rootCA.crt, valid for effectively 100 years (36500 days)^[600-developer__tools__security__openssl.md].

Trust Configuration

For a client (such as a web browser or operating system) to trust certificates issued by this custom Root CA, the rootCA.crt file must be imported into the system's "Trusted Root Certification Authorities" store^[600-developer__tools__security__openssl.md]. Once installed, the system will trust any certificates signed by this root key.

Sources

^[600-developer__tools__security__openssl.md]