Note: Replace the key length, signature algorithm, and certificate name with the appropriate values.
Run the following command:
- openssl genrsa -out /etc/certs/openxpki_democa/ca-signer-1.key -passout file:/etc/certs/openxpki_democa/pd.pass 4096
Replace the subject in the request with your CA information using openssl req -config /etc/certs/openxpki_democa/openssl.conf -reqexts v3_ca_reqexts -new -key /etc/certs/openxpki_democa/ca-signer-1.key -subj /DC=COM/DC=LEXMARK/DC=DEV/DC=CA-ONE/CN=MYOPENXPKI_ISSUINGCA -out / etc/certs/openxpki_democa/ca-signer-1.csr.
Get the certificate signed by the root CA using openssl x509 -req -extfile /etc/certs/openxpki_democa/openssl.conf -extensions v3_issuing_extensions -days 3650 -in /etc/certs/openxpki_democa/ca-signer-1.csr -CA /etc/certs/openxpki_democa/ca-root-1.crt -CAkey /etc/certs/openxpki_democa/ca-root-1.key -CAcreateserial -out /etc/certs/openxpki_democa/ca-signer-1.crt -sha256.
Run the following command:
- openxpkiadm alias --realm democa --token certsign --file ca-signer-1.crt --key ca-signer-1.key