# Generate local (insecure) root key and certificate

The version 3 (v3 and v3\_attest) extensions define the certificate format and establish the Certificate Authority (CA). This process allows you to create a local CA with specific attributes and constraints set by the v3 extensions, allowing you to issue certificates for testing and development purposes.

Follow these steps to generate a local root key and certificate.

1. To create `opensslroot.cfg` file, see [Sample OpenSSL configuration](https://docs.qualcomm.com/doc/80-70018-11/topic/appendix-openssl-configuration.html#appendix-openssl-configuration).
2. To create the `v3.ext` and `v3_attest.ext` extensions, use the following:

    - `v3.ext`: This extension can be found at
 [/docs/manmaster/man5/x509v3_config.html (OpenSSL.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html),
and include the following settings:

authorityKeyIdentifier=keyid,issuer
            subjectKeyIdentifier=hash
            basicConstraints=CA:true,pathlen:0
            keyUsage=keyCertSign
            Copy to clipboard
    - `v3_attest.ext`: This extension can be found
at [/docs/manmaster/man5/x509v3_config.html (OpenSSL.org)](https://www.openssl.org/docs/manmaster/man5/x509v3_config.html),
and include the following settings:

authorityKeyIdentifier=keyid,issuer
            basicConstraints=CA:FALSE,pathlen:0
            keyUsage=digitalSignature
            extendedKeyUsage=codeSigning
            Copy to clipboard
3. Prepare the environment, create a directory named OEM-KEYS to generate all certificates and keys at one location.

    - For Linux, use the following commands:

cd /path/to/sectools/$ mkdir ./OEM-KEYS &&
            cp /download/opensslroot.cfg ./OEM-KEYS &&
            cp /download/v3.ext ./OEM-KEYS &&
            cp /download/v3_attest.ext ./OEM-KEYS
            Copy to clipboard
    - For Windows, copy `opensslroot.cfg`, `v3.ext`, and `v3_attest.ext` to the OEM-KEYS directory.

The supported algorithms include:

- Rivest–Shamir–Adleman (RSA) signature algorithm
- Elliptical curve digital signature algorithm (ECDSA)

## Next steps

- To enhance device security by providing stronger cryptographic protection and better performance, you must generate the ECDSA root key and certificate. For more information, see [Generate ECDSA root key and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-ecdsa-root-key-and-certificate.html#generate-ecdsa-root-key-and-certificate).
- To allow client applications to authenticate securely and enable encrypted communication, see [Generate RSA CA key pair and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-rsa-root-ca-key-pair-and-certificate.html#generate-rsa-root-ca-key-pair-and-certificate).

Last Published: Apr 10, 2025

[Previous Topic
QFPROM fuses](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/appendix-fuse-configurations.md) [Next Topic
Generate ECDSA root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-ecdsa-root-key-and-certificate.md)