Go back to the procedure overview

I. Create the Certificate Authority (CA)

If you are using a Linux or Mac system, skip the “Install Bash for Windows 10” instructions below and proceed directly to Command Line Instructions.

If you are using a Windows 10 computer, we strongly recommend following the steps below to get access to a Bash command line on your computer so you can use the OpenSSL instructions in the Command Line Instruction section below.

Install Bash for Windows 10

  1. Open your control panel by clicking Start > Search tool, type “control panel”, then click Control Panel.
  2. Double-click Programs, then click Turn Windows features on or off to open the Windows Features popup.
  3. Scroll down to Windows Subsystem for Linux and enable that option, then click OK.
  4. When prompted, restart your computer. If you need to save your work, you can choose not to restart now. However, you need to reboot to continue to the next step.
  5. After the system has restarted, click Start > Search tool, type “Microsoft store”, and open the Microsoft Store app.
  6. In the store search bar (top right-hand corner), search for “Ubuntu”.
  7. The search will return several apps. Select the one with the simple title: Ubuntu.
  8. Click Get. When the app is finished installing, click Launch to open the Bash window.
  9. After the app finishes a few more installation steps, you are prompted to create a default UNIX user account that you will use to access the Bash command line. This username and password does not need to match your Windows login credentials, but it should still be a difficult-to-guess password and recorded somewhere very secure.
  10. After creating a user account, you see a command line prompt: [username]@[system]:~$ where username is the username you created in the previous step, and system name is.
  11. Navigate to your user documents: To do this type cd /mnt/c/Users/[myuser]/Documents/, replacing [myuser] with your Windows username. You can confirm that you are in the correct folder by entering the pwd command. Enter the ls command to confirm the contents of the folder.
  12. Verify that the OpenSSL tools is installed by entering the openssl version command. Proceed to the Command Line Instructions below.

Command Line Instructions

On Linux or Mac systems, you can simply use OpenSSL commands on the command line to create all necessary files. If you are using a Windows system you will first need to install Bash for Windows 10.

  1. Start your command line tool.
  2. Navigate to the file area where you want to store your files.
    At the command prompt, use cd to change directory to the folder where you want to store your Certificate Authority and manage your Client and Server Certificate files. It’s recommended to start a new folder for this step. For example, perhaps create a “Certificates” folder inside the [myuser] user Documents, replacing [myuser] with your username.
    Once you know which folder you’re using, navigate there in the command line with cd /home/[myuser]/Documents/Certificates(or cd /mnt/c/Users/[myuser]/Documents/Certificates in Bash for Windows). You can use ls to list the contents of the folder to make sure you’re in the right place. Once you’re there, proceed to the next step.
  3. Generate the Certificate Authority (CA) key file.
    Use the following command to generate the Certificate Authority (CA) key file [myCertificateAuthority]-CA.key, where you should replace [myCertificateAuthority] with the name of your Authority. You may name this file any way you like, but we recommended keeping the -CA suffix in the filename (for example Opto22-CA.key) to help keep track of which files are which. You will be prompted to provide a passphrase during this step, followed by confirming the passphrase by typing it in again.

Note: Make sure you keep a secure record of this passphrase since you will need it every time you sign a client or server certificate. At the command line, type the following, replacing [myCertificateAuthority] with the name of your Authority:

openssl genrsa -des3 -out [myCertificateAuthority]-CA.key 2048

Note that you need to create the CA file only once. You’ll use this key to securely sign many certificates.

After you have completed this step, check the folder to confirm the [myCertificateAuthority]-CA.key file was successfully created. You can check with your file browser or use the list command ls at the command line.


Next steps

Continue to Create and install the client certificate (steps II & III) or go back to the procedure overview

Or go to EPIC Developer Overview Home