Obtain Domain CA certificates

Unlike the License Server, Packager or Transport certificate, the Domain CA certificate is not issued by Adobe. You can obtain this certificate from a Certificate Authority, or you can generate a self-signed certificate to use for this purpose.

The Domain CA certificate should use a 1024-bit key and contain the standard attributes required in a CA certificate:

  • Basic Constraints extension with the CA flag set to true
  • Key Usage extension specifying Certificate Signing is allowed

For example, using OpenSSL, a self-signed CA certificate can be generated as follows:

  1. Create a file called ca-extensions.txt containing:

    keyUsage=critical,keyCertSign  
    basicConstraints=critical,CA:TRUE  
    subjectKeyIdentifier=hash 
    
  2. Generate key:

    openssl genrsa -des3 -out domain-ca.key 1024 
    
  3. Generate CSR:

    openssl req -new -key domain-ca.key -out domain-ca.csr 
    
  4. Generate certificate:

    openssl x509 -req -days 365 -in domain-ca.csr -signkey domain-ca.key \ 
      -out domain-ca.cer -extfile ca-extensions.txt 
    
  5. Generate password:

    openssl rand -base64 8 
    
  6. Generate PFX:

    openssl pkcs12 -export -inkey domain-ca.key \ 
    -in domain-ca.cer -out domain-ca.pfx
    

On this page