Generating X.509 Certificates

Posted on February 26, 2016 by Shing Chen

Generate a Certificate Authority (CA)

Generate a RSA Private Key

openssl genrsa -out ca.key 2048

Generate a Certificate

Input: ca.key
Output: ca.pem
openssl req -new -x509 -days 365 -key ca.key -out ca.pem 

It prompts to enter the following information:

  • Country Name (2 letter code) [AU]
  • State or Province Name (full name) [Some-State]
  • Locality Name (eg, city) []
  • Organization Name (eg, company) [Internet Widgits Pty Ltd]
  • Organizational Unit Name (eg, section) []
  • Common Name (e.g. server FQDN or YOUR name) []
  • Email Address []

Prompts can be suppressed if the information is provided by using -subj parameter:

openssl req -new -x509 -days 365 -key ca.key -out ca.pem -subj '/C=US/ST=IL/L=Chicago/O=Test Organization/CN=test.common.name'

Import a X.509 Certificate to a Java Key Store

Input: ca.pem
Output: cacerts.jks
keytool -import -keystore cacerts.jks -file ca.pem

It prompts to enter a password and confirm to trust the certificate before it imports to a Java Key Store:

  • Enter keystore password
  • Trust this certificate? [no]

Generate a Certificate from a CA

Generate a RSA Private Key

openssl genrsa  -out server.key 2048

Generate a Certificate Request

openssl req -new -key server.key -out server.csr -subj '/C=US/ST=IL/L=Chicago/O=Test Organization/CN=test.server.name'

Generate a X.509 Certificate

Inputs: server.csr, ca.pem, ca.key
Output: server.pem
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem

 Use a different serial number while generating another certificate. For example, use 02 while generating a client certificate.

openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca.key -set_serial 02 -out client.pem

Export to a P12 Certificate

Inputs: server.pem, server.key
Output: server.p12
openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12

It prompts to enter a password to protect the P12 certificate, which contains a private RSA key and a X.509 certificate.

Import a P12 Certificate to a Java Key Store

Input: server.p12
Output: server.jks
keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12

It prompts to enter the following passwords:

  • Enter destination keystore password. It must be at least 6 characters.
  • Enter destination keystore password
  • Enter source keystore password.

Prompts can be suppressed if the information is provided by using -deststorepass, -destkeypass, and – srcstorepass parameters:

keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -deststorepass secret -destkeypass secret -srcstorepass secret

Export a Java Key Store to a P12 Certificate

Input: server.jks
Output: server.p12
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12

Retrieve a Private RSA  Key from a P12 Certificate

Input: server.p12
Output: server.key
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key

Retrieve a X.509 Certificate from a P12 Certificate

Input: server.p12
Output: server.pem
openssl pkcs12 -in server.p12 -nokeys -out server.pem

Posted in Uncategorized | Tagged , , , | Leave a comment