[ZT] Generate root CA (#11761)

maxvp · web-flow · commit 6e385c32f3e9 · 2023-11-15T11:01:31.000-05:00
diff --git a/content/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.md b/content/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.md
@@ -14,15 +14,47 @@ Only available on Enterprise plans.
 
 Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/configuring-block-page/).
 
-To generate a custom root CA, refer to [IBM's documentation](https://www.ibm.com/docs/en/runbook-automation?topic=certificate-generate-root-ca-key).
-
 {{<Aside type="warning">}}
 Custom certificates are limited to use between your users and the Gateway proxy. Connections between Gateway and the origin server will use the Cloudflare certificate.
 {{</Aside>}}
 
-When preparing your certificate and private key for upload, be sure to remove any unwanted characters, such as mismatching subdomains in the certificate's common name.
+## Generate a custom root CA
+
+Before you generate a custom root CA, make sure you have [OpenSSL](https://www.openssl.org/) installed.
+
+1. Open a terminal.
+2. Create a directory for the root CA and change into it.
+
+   ```sh
+   $ mkdir -p /root/customca
+   $ cd /root/customca
+   ```
+
+3. Generate a private key for the root CA.
+
+   ```sh
+   $ openssl genrsa -out <CUSTOM-ROOT-PRIVATE-KEY>.pem 2048
+   ```
+
+4. Generate a self-signed root certificate.
+
+   ```sh
+   $ openssl req -x509 -sha256 -new -nodes -key <CUSTOM-ROOT-PRIVATE-KEY>.pem -days 365 -out <CUSTOM-ROOT-CERT>.pem
+   ```
+
+When preparing your certificate and private key for upload, be sure to remove any unwanted characters, such as mismatching subdomains in the certificate's common name. To review the private key, run the following command:
+
+```sh
+$ openssl rsa -in <CUSTOM-ROOT-PRIVATE-KEY>.key -text
+```
+
+To review the certificate, run the following command:
+
+```sh
+$ openssl x509 -in <CUSTOM-ROOT-CERT>.pem -text
+```
 
-To deploy a custom root certificate:
+## Deploy a custom root certificate
 
 1. Verify that the certificate is installed on your devices.
 
