# Generate local (insecure) root key and certificate

Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-local-insecure-root-key-and-certificates.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-local-insecure-root-key-and-certificates.html)

The version 3 (v3 and v3\_attest) extensions are used to define the format for
        certificates and create CAs.

1. To create `opensslroot.cfg` file, see [Sample OpenSSL configuration](https://docs.qualcomm.com/doc/80-70015-11/topic/appendix-openssl-configuration.html).
2. To create the `v3.ext` and `v3_attest.ext` extensions,
                use the following:
- `v3.ext`: This extension can be found at  [/docs/manmaster/man5/x509v3_config.html (openssl.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html), and
                            include the following
                            settings:

            authorityKeyIdentifier=keyid,issuer
            subjectKeyIdentifier=hash
            basicConstraints=CA:true,pathlen:0
            keyUsage=keyCertSign
            Copy to clipboard
    - `v3_attest.ext`: This extension can be found
                                at [/docs/manmaster/man5/x509v3_config.html (openssl.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html), and
                            include the following
                            settings:

            authorityKeyIdentifier=keyid,issuer
            basicConstraints=CA:FALSE,pathlen:0
            keyUsage=digitalSignature
            extendedKeyUsage=codeSigning
            Copy to clipboard
3. Prepare the environment, create a directory named OEM-KEYS to generate all
                certificates and keys at one location.
    - For Linux, use the following
                        commands:

            cd /path/to/sectools/$ mkdir ./OEM-KEYS
            cp /download/opensslroot.cfg ./OEM-KEYS
            cp /download/v3.ext ./OEM-KEYS
            cp /download/v3_attest.ext ./OEM-KEYS
            Copy to clipboard
    - For Windows, copy `opensslroot.cfg`, `v3.ext`,
                        and `v3_attest.ext` to the OEM-KEYS directory.

The algorithms supported are:
- Rivest–Shamir–Adleman (RSA) signature algorithm
- Elliptical curve digital signature algorithm (ECDSA)

**Parent Topic:** [Enable secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-secure-boot.html)

Last Published: Oct 14, 2024

[Previous Topic
QFPROM fuses](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/appendix-fuse-configurations.md) [Next Topic
Generate ECDSA root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/generate-ecdsa-root-key-and-certificate.md)