Your CA Certificate, Key and Password

The private subdirectory contains the root CA certificate and matching private key.

The certificate is provided in several formats, because different entities that you communicate with, such as different browsers, may require different formats. The .pem files contain a format called PEM. This is a way of modifying a binary string so that the bit pattern in each byte coincides with an ASCII character, so that the string is printable and displayable as text. The .cer file contains a format called DER, which is not plain text.

The files provided in the private subdirectory are:

CAkey.pem - the CA's private key file. You can open this file in a text editor and see that the key is just one long number. In PEM format, it is preceded and followed by headers - these identify it as an RSA private key. It has been encrypted, by combining it with the pass phrase mentioned above. It appears as a string of characters.
CARootcert.pem - the CA's certificate in PEM format, the default for OpenSSL. In a text editor, the PEM-format certificate looks similar in layout to the key, but in fact a certificate has a complex structure. You can open the certificate file using the x509 command of the openssl utility. For example from the private subdirectory, enter:
```
..\openssl x509 -in carootcert.pem -text
```
This shows the certificate first in human-readable form, and then in machine-readable form between the BEGIN CERTIFICATE and END CERTIFICATE lines. It shows that the public key was generated using the RSA algorithm and is 1024 bits long. The signature was created using the MD5 hashing algorithm and the RSA encryption algorithm. Notice that the Issuer and Subject are the same, because this is a self-signed certificate, as you would expect of a root CA's certificate.
CARootcert.cer - The CA's certificate in another format, P7B format, the default for Internet Explorer, which might be required because different browsers require different formats. You can view the certificate using the x509 command and the -inform parameter to specify that this certificate is in DER format. For example from the private subdirectory, enter:
```
..\openssl x509 -in carootcert.cer -text -inform DER
```
Compare the x509 displays of the PEM and DER versions of this certificate, and notice that their contents are identical. However, you cannot display the DER one with a text editor.

The CAKey.pem and srvkey.pem files are installed with the same password "srvrootpwd". See Is the Demonstration CA a Real CA? for recommendations.

You should regard the contents of this private folder as sacrosanct. These are the public/private key pair that you must have in order to operate your CA. Do not alter or lose anything in here. Note that anyone who gets hold of your private key can masquerade as you. In production, you would take precautions such as making these files read-only, and keeping secure backups.