Skip to main content

Tutorial: Create a private certificate authority

This tutorial shows how to use the createcacert.py script, to create a private CA key pair of files named ca.key (the private key) and ca.crt (the public certificate).

This key pair will be used to create signed certificates for your servers and clients.

  1. Navigate to the <faircomInstallationDirectory>/drivers/certificates folder.

  2. At the command prompt, run the python createcacert.py command. No command line parameters are required.

    You are prompted for a company name.

  3. Enter the company name. This name will be used as the Organization in the signed certificates you will later create and will be the basis for the Common Name.

    You are prompted for a directory that will be used to store the generated certificate files.

  4. Enter either an absolute path or a relative path. If you enter certificates, all files will be in a directory named "certificates" within your current directory. Ensure this directory is secure (not shared) and is backed up properly.

    You are prompted for the certificate validity duration in months based on the current date.

    Note

    When a certificate expires, communications using that certificate no longer work.  The recommended expiration is 13 months to give time to renew each year.  When a signed certificate expires, it must be replaced by a new signed certificate everywhere it is used, such as operating systems, browsers, and other software.

  5. Enter the desired number of months.

    Note

    A summary is displayed of all command-line options and values that will be used when the command to perform this operation is run. You may want to make a copy of this information, so you can repeat this exact run in the future. Only the serial number will be different.

    You are prompted to create the key pair files.

  6. Press Enter, and the ca.key and ca.crt key pair files will be generated and saved.

    The generated file information is displayed.

    The output files shown at the end of the display will always show the absolute path to the files, even if relative paths were used throughout the program.

  7. Press Enter to exit.

About

CA Key pair files

Table 1. CA key pair files

Filename

Purpose

Notes

ca.key

CA key file

WARNING! Store this key in a secure location. It is the "private" key of the key pair.
If malicious users gain access to this key, they can compromise network communications.

ca.crt

CA certificate file

The ca.crt file is freely distributed to sources that will need to validate your servers and clients as trustworthy.
It is recommended to create a new CA certificate and recreate certificates for your servers and clients every year.


Script default values

Note

The following are default values used by the createcacert.py script.

Table 2. The createcacert.py Python script default values

Setting

Default

Description

Cipher

sha256

Considered secure as of 2023

Bit depth

4096

Considered secure as of 2023

Org name

<myCompanyName>

The company name you enter

Common name

<myCompanyName> Private Certificate Authority

The company name you enter plus the text "Private Certificate Authority"

Serial number

current time stamp + serial number

The current time and serial number in yyyy-mm-dd hh:mm:ss.ssssss sn format.

Example:

20230926174242421981000000001

is 2023-09-26 17:42:42.421981 000000001

"00000001" is the first serial number assigned and is incremented for each certificate created.

Note

This value is helpful in uniquely identifying the version of the certificate.