Generates a self-signed CA certificate.

pkiutil newca -caprivkey <caprivkey> -capubkey <capubkey> -certout <certout> [-dn <dn>] -sigalg <sigalg> [-sigalg <sigalg> ... -sigalg <sigalg>]

For example:

pkiutil newca  -capubkey pub.pem -caprivkey priv.pem -certout compositeca.pem" -dn "cn=myComposite,c=ca" -sigalg SHA256withRSA -sigalg SHA256withECDSA

See below for a description of each option.

-caprivkey <caprivkey>
-capubkey <capubkey>
-certout <certout>
-dn <dn>
-sigalg <sigalg>

-caprivkey <caprivkey>

Sign the certificate with the <caprivkey> private key, where <caprivkey> is the name of a file generated with the pkiutil keygen command.

Mandatory: Yes.

-capubkey <capubkey>

Certify the <capubkey> public key, where <capubkey> is the name of a file generated with the pkiutil keygen command.

Mandatory: Yes.

-certout <certout>

Save the certificate in a file with the <certout> name.

Mandatory: Yes.

-dn <dn>

Set <dn> as the Distinguished Name of the certificate subject.

Mandatory: No. When omitted, this value defaults to:

Composite Test CA

-sigalg <sigalg>

Sign the certificate with the <sigalg> algorithm, where <sigalg> is one of the algorithm identifiers listed in PKIUtil algorithm reference. Select more than one algorithm to generate a composite certificate.

Mandatory: Yes.