Overview

Note: Before you begin, make sure that you have a basic knowledge on creating OpenSSL certificates.

To configure OpenXPKI CA manually, create the following:

  1. Root CA certificate. For more information, see Creating a root CA certificate.

  2. CA signer certificate, signed by the root CA. For more information, see Creating a signer certificate.

  3. Data vault certificate, self‑signed. For more information, see Creating a root CA certificate.

  4. Web certificate, signed by the signer certificate. For more information, see Setting up the webserver.

Notes:
  • When selecting the signature hash, use either SHA256 or SHA512.
  • Changing the public key size is optional.

For version 3.10 or later, you can manage the keys directly using the openxpkiadm alias command:

  • Run mkdir -p /etc/openxpki/local/keys to create the directory. The default location of the directory is /etc/openxpki/local/keys.

  • Run openxpkictl start to start the server.

For this instance, we are using the /etc/certs/openxpki_democa/ directory for certificate generation. However, you can use any directory.