Overview

Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.

To configure OpenXPKI CA manually, create the following:

  1. Root CA certificate. For more information, see Creating a root CA certificate.

  2. CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.

  3. Data vault certificate, self‑signed. For more information, see Creating a root CA certificate.

  4. SCEP certificate, signed by the signer certificate.

Notes:
  • When selecting the signature hash, use either SHA256 or SHA512.
  • Changing the public key size is optional.

For this instance, we are using the /etc/certs/openxpki_ca-one/ directory for certificate generation. However, you can use any directory.