Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.
To configure OpenXPKI CA manually, create the following:
Root CA certificate. For more information, see Creating a root CA certificate.
CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.
Data vault certificate, self‑signed. For more information, see Creating a vault certificate.
Web certificate, signed by the signer certificate. For more information, see Setting up the webserver.
Notes:
- When selecting the signature hash, use either SHA256 or SHA512.
- Changing the public key size is optional.
For version 3.10 or later, you can manage the keys directly using the openxpkiadm alias command:
- Run mkdir -p /etc/openxpki/local/keys to create the directory. The default location of the directory is /etc/openxpki/local/keys.
- Run openxpkictl start to start the server.
For this instance, we are using the /etc/certs/openxpki_democa/ directory for certificate generation. However, you can use any directory.