# Generate RSA CA key pair and certificate

Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/generate-rsa-root-ca-key-pair-and-certificate.html](https://docs.qualcomm.com/doc/80-70015-11/topic/generate-rsa-root-ca-key-pair-and-certificate.html)

RSA is an encryption algorithm that uses a pair of keys to encrypt and decrypt data,
        ensuring secure data transmission.

With RSA, a private and a public key are created.

- The public key is accessible to anyone.
- The private key is only known to the owner of the key pair.

Either the public or private key can encrypt the data, and the other key decrypts
                it.

1. To generate the root CA key pair and certificate, run the following commands: 
The key size used
                    is 2048. However, a key size of 4096 is also
                    supported.

        openssl genrsa -out qpsa_rootca.key 2048Copy to clipboard

        openssl req -new -sha256 -key qpsa_rootca.key -x509 -out rootca_pem.crt -subj /C=US/ST=California/L="San Diego"/OU="General Use Test Key (for testing 13 only)"/OU="CDMA Technologies"/O=QUALCOMM/CN="QCT Root CA 1" -days 7300 -set_serial 1 -config opensslroot.cfg -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sigopt digest:sha256 Copy to clipboard

        openssl x509 -in rootca_pem.crt -inform PEM -out qpsa_rootca.cer -outform DERCopy to clipboard

        openssl x509 -text -inform DER -in qpsa_rootca.cerCopy to clipboard
2. To generate the attestation CA key pair and certificate, run the following commands
                using RSA with a key size of 2048:

        openssl genrsa -out qpsa_attestca.key 2048Copy to clipboard

        openssl req -new -key qpsa_attestca.key -out attestca.csr -subj /C=US/ST=CA/L="San Diego"/OU="CDMA Technologies"/O=QUALCOMM/CN="QUALCOMM Attestation CA" -days 7300 -config opensslroot.cfgCopy to clipboard

        openssl x509 -req -in attestca.csr -CA rootca_pem.crt -CAkey qpsa_rootca.key -out attestca_pem.crt -set_serial 5 -days 7300 -extfile v3.ext –sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 - sigopt digest:sha256Copy to clipboard

        openssl x509 -inform PEM -in attestca_pem.crt -outform DER -out qpsa_attestca.cerCopy to clipboard

**Parent Topic:** [Enable secure boot](https://docs.qualcomm.com/doc/80-70015-11/topic/enable-secure-boot.html)

Last Published: Oct 14, 2024

[Previous Topic
Generate ECDSA root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/generate-ecdsa-root-key-and-certificate.md) [Next Topic
Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/generate-sha-384-hash-for-rsa-and-ecdsa.md)