Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.
To configure OpenXPKI CA manually, create the following:
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Root CA certificate. For more information, see Creating a root CA certificate.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Data vault certificate, self‑signed. For more information, see Creating a vault certificate.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
SCEP certificate, signed by the signer certificate.
Notes:
- When selecting the signature hash, use either SHA256 or SHA512.
- Changing the public key size is optional.
For this instance, we are using the /etc/certs/openxpki_ca-one/ directory for certificate generation. However, you can use any directory.