In pki - public key infrastructure, CA is responsible for issuing and maintaining digital certificates. They actually sign the certificate with their private key and then it becomes digital signature. They are called trusted RootCA. But what if you don't have trusted rootca? In that case you need to create your own self signed CA that involves generating private key. Once the CA has been created now using this CA you can sign other certificates in your organization. Which will be called issued by this CA. Once the CA has been created then it needs to be distributed to all clients and servers who needs to trust this, this also maintain chain of trust. The process as follows: Install openssl: sudo apt-get install openssl Generate the private key: openssl genrsa -out ca.key 2048 Create new CA certificate: openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -sha256 Protect the private key: chmod 400 ca.key That's it. Your CA certificate has been created. You can use this ce