DocumentationPrimetimePrimetime Digital Rights Management Help

Obtain Domain CA certificates obtain-domain-ca-certificates

Last update: Mon Oct 02 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Unlike the License Server, Packager or Transport certificate, the Domain CA certificate is not issued by Adobe. You can obtain this certificate from a Certificate Authority, or you can generate a self-signed certificate to use for this purpose.

The Domain CA certificate should use a 1024-bit key and contain the standard attributes required in a CA certificate:

  • Basic Constraints extension with the CA flag set to true
  • Key Usage extension specifying Certificate Signing is allowed

For example, using OpenSSL, a self-signed CA certificate can be generated as follows:

  1. Create a file called ca-extensions.txt containing:

    code language-none 
    keyUsage=critical,keyCertSign
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash

  2. Generate key:

    code language-none 
    openssl genrsa -des3 -out domain-ca.key 1024

  3. Generate CSR:

    code language-none 
    openssl req -new -key domain-ca.key -out domain-ca.csr

  4. Generate certificate:

    code language-none 
    openssl x509 -req -days 365 -in domain-ca.csr -signkey domain-ca.key \
  -out domain-ca.cer -extfile ca-extensions.txt

  5. Generate password:

    code language-none 
    openssl rand -base64 8

  6. Generate PFX:

    code language-none 
    openssl pkcs12 -export -inkey domain-ca.key \
-in domain-ca.cer -out domain-ca.pfx
recommendation-more-help
6586e0f0ff95af3ee5405884