notes/divers/tiny_root_CA_01.md

> Based on article https://www.baeldung.com/openssl-self-signed-cert

## Build a home made root CA

	mkdir -p /app/CA
	cd /app/CA

Create rootCA private key:

	openssl genrsa -des3 -out rootCA.key 4096

Create rootCA certificate:

	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 7300 -out rootCA.pem


## Generate client root CA signed certificate for a client

Client private key:

	openssl genrsa -out raxus.swgalaxy.key 2048

Client certificate signature request:

	openssl req -new -key raxus.swgalaxy.key -out raxus.swgalaxy.csr

Root CA create a signed certificate using the certificate signature request:

	openssl x509 -req -CA rootCA.pem -CAkey rootCA.key -in raxus.swgalaxy.csr -out raxus.swgalaxy.crt -days 365 -CAcreateserial

Optionally create the full chain:

	cat raxus.swgalaxy.crt rootCA.pem > raxus.swgalaxy.fullchain.crt

Optionally create an export to be imported into a Oracle wallet:

	openssl pkcs12 -export \
		-in raxus.swgalaxy.crt \
		-inkey raxus.swgalaxy.key \
		-certfile rootCA.pem \
		-out raxus.swgalaxy.p12