# Generate local (insecure) root key and certificate The version 3 (v3 and v3\_attest) extensions are used to define the format for certificates and create CAs. 1. To create `opensslroot.cfg` file, see [Sample OpenSSL configuration](https://docs.qualcomm.com/doc/80-70017-11/topic/appendix-openssl-configuration.html#appendix-openssl-configuration). 2. To create the `v3.ext` and `v3_attest.ext` extensions, use the following: - `v3.ext`: This extension can be found at [/docs/manmaster/man5/x509v3_config.html (openssl.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html), and include the following settings: authorityKeyIdentifier=keyid,issuer subjectKeyIdentifier=hash basicConstraints=CA:true,pathlen:0 keyUsage=keyCertSign Copy to clipboard - `v3_attest.ext`: This extension can be found at [/docs/manmaster/man5/x509v3_config.html (openssl.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html), and include the following settings: authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE,pathlen:0 keyUsage=digitalSignature extendedKeyUsage=codeSigning Copy to clipboard 3. Prepare the environment, create a directory named OEM-KEYS to generate all certificates and keys at one location. - For Linux, use the following commands: cd /path/to/sectools/$ mkdir ./OEM-KEYS cp /download/opensslroot.cfg ./OEM-KEYS cp /download/v3.ext ./OEM-KEYS cp /download/v3\_attest.ext ./OEM-KEYS - For Windows, copy `opensslroot.cfg`, `v3.ext`, and `v3_attest.ext` to the OEM-KEYS directory. The algorithms supported are: - Rivest–Shamir–Adleman (RSA) signature algorithm - Elliptical curve digital signature algorithm (ECDSA) Last Published: Jan 30, 2025 [Previous Topic QFPROM fuses](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/appendix-fuse-configurations.md) [Next Topic Generate ECDSA root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/generate-ecdsa-root-key-and-certificate.md)