When generating a new root certificate, the following two forms of the certificate must be created:
Both forms of the certificate are generated at the same time with the Client Automation tool. When using an external PKI, the root certificate can be exported in DER format.
The new root certificate is central to the security in Client Automation and so should be protected from accidental or deliberate disclosure. The PKCS#12 certificate file should be protected with a complex pass phrase and stored in a secure administrative data store.
The PKCS#12 format certificate is used to sign other certificates. The DER format certificate is used to verify these signed certificates.
The command to create a new root certificate has the following format:
cacertutil create -o:rootname.p12 -od:rootname.der -op:passphrase “-s:CN=YourRoot,O=YourOrg,C=Country” -d:NumberOfDays -oe
Specifies the output filename for the PKCS#12 packaged certificate.
Specifies the output filename for the DER encoded certificate.
Specifies a pass phrase used to encrypt the PKCS#12 certificate file.
Specifies the subject of the certificate.
Specifies the lifetime of the certificate in days (for example, 730 (= 2 years)).
Generates a random encrypted version of the pass phrase used to decode the certificate and outputs it to the console. This encrypted pass phrase can be provided to the certificate tool instead of a clear-text password.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|