Generate a Certificate Authority (CA)
Generate a RSA Private Key
openssl genrsa -out ca.key 2048
Generate a Certificate
Input: ca.key Output: ca.pem
openssl req -new -x509 -days 365 -key ca.key -out ca.pem
It prompts to enter the following information:
- Country Name (2 letter code) [AU]
- State or Province Name (full name) [Some-State]
- Locality Name (eg, city) []
- Organization Name (eg, company) [Internet Widgits Pty Ltd]
- Organizational Unit Name (eg, section) []
- Common Name (e.g. server FQDN or YOUR name) []
- Email Address []
Prompts can be suppressed if the information is provided by using -subj parameter:
openssl req -new -x509 -days 365 -key ca.key -out ca.pem -subj '/C=US/ST=IL/L=Chicago/O=Test Organization/CN=test.common.name'
Import a X.509 Certificate to a Java Key Store
Input: ca.pem Output: cacerts.jks
keytool -import -keystore cacerts.jks -file ca.pem
It prompts to enter a password and confirm to trust the certificate before it imports to a Java Key Store:
- Enter keystore password
- Trust this certificate? [no]
Generate a Certificate from a CA
Generate a RSA Private Key
openssl genrsa -out server.key 2048
Generate a Certificate Request
openssl req -new -key server.key -out server.csr -subj '/C=US/ST=IL/L=Chicago/O=Test Organization/CN=test.server.name'
Generate a X.509 Certificate
Inputs: server.csr, ca.pem, ca.key Output: server.pem
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem
Use a different serial number while generating another certificate. For example, use 02 while generating a client certificate.
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca.key -set_serial 02 -out client.pem
Export to a P12 Certificate
Inputs: server.pem, server.key Output: server.p12
openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12
It prompts to enter a password to protect the P12 certificate, which contains a private RSA key and a X.509 certificate.
Import a P12 Certificate to a Java Key Store
Input: server.p12 Output: server.jks
keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12
It prompts to enter the following passwords:
- Enter destination keystore password. It must be at least 6 characters.
- Enter destination keystore password
- Enter source keystore password.
Prompts can be suppressed if the information is provided by using -deststorepass, -destkeypass, and – srcstorepass parameters:
keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -deststorepass secret -destkeypass secret -srcstorepass secret
Export a Java Key Store to a P12 Certificate
Input: server.jks Output: server.p12
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12
Retrieve a Private RSA Key from a P12 Certificate
Input: server.p12 Output: server.key
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key
Retrieve a X.509 Certificate from a P12 Certificate
Input: server.p12 Output: server.pem
openssl pkcs12 -in server.p12 -nokeys -out server.pem