Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.
To configure OpenXPKI CA manually, create the following:
Root CA certificate. For more information, see Creating a root CA certificate.
CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.
Data vault certificate, self‑signed. For more information, see Creating a vault certificate.
SCEP certificate, signed by the signer certificate.
Notes:
- When selecting the signature hash, use either SHA256 or SHA512.
- Changing the public key size is optional.
For this instance, we are using the /etc/certs/openxpki_ca-one/ directory for certificate generation. However, you can use any directory.