Tuesday, January 1, 2019

Create a Root Certificate, using XCA

There are scenarios that require you to implement your own private Certificate Authority (CA), such as VPNs, internal web servers, or client authentication to web servers.

This is the first article in a 3-part series, that explains how to generate a Root Certificate, Client Certificates and Server Certificates, for authentication. In this article, you will learn how to use a tool called XCA to create the Root Certificates, used to sign the Client and Server certificates later in this series.


  • Download XCA from http://sourceforge.net/projects/xca/
  • Install XCA (Admin Privilege Required)

Create a new XCA Database

1. Click File->New Database

2. Select a folder, enter a name for the database file, and press Save

3. Enter a new password, to access the XCA database, and click OK

Create Information Template for Certificates

1. Click on the Template Tab, and then the "New Template" button

2. Select "Nothing", as the preset template value

3. Enter the Distinguished Name fields, that will be reused on all subsequent certificates for this PKI, and click OK.

NOTE: The Internal Name is used to identify this template... also, Digital Services Limited is assumed to be a subdivision of CompanyName.

Create Root Certificate

1. Click on the Certificate Tab, and then the new Certificate button

2. Select the previously template, and click apply Subject

3. Click on the Subject tab, and complete the Distinguished Name fields.

NOTE: Internal Name is used to identify the certificate. Enter the common name as "Root CA", or an equivalent name.

4. Click "Generate a new Key" button: Ensure that the Key Name is the same as the Internal Name, and that it uses RSA with 2048 bits, before clicking the CREATE button.

5. Click on the Extensions Tab, change type to "Certificate Authority", Validity Time Range as 15 years, and click the Apply button.

6. Click the Key Usage tab, and in the left panel, select Digital Signature, Key Agreement, and Certificate Sign,

7. Click the Advanced tab, and confirm that it looks similar to the below picture, and then click OK.

8. The Root certificate is now created.