====== Creating Cert ====== ===== CA Private Public Keys ===== In the real word we do not have to create those. There are CAs in this world that will sign our Certificate Signing Request (csr) with charge. But for privately use, we might need so. We will use openssl for doing so. Private Key: openssl genrsa -aes256 -out ca.key 4096 Public Key: openssl req -new -x509 -days 365 -key ca.key -out ca.crt ===== Server Private Key and CSR ===== We need to generate private key, and the corresponding CSR. openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr ===== Server Public Key ===== At this point in the real world, we need to send the csr to the CA to sign for the server public key, and the CA will do the rest, and then send us back the signed public key. But for a self signed one, we need to DIY: openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt ===== Convert Key from PEM format to PKCS12 ===== Now that we have the server.crt, server.key, and the CA's public cert, we can convert it to pkcs12 format for, JBOSS, web browser for instance. openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt ===== Adding CA Public Certificate to Java Keystore ===== Java provides keytool binary for cert related functions, and once of those is to import cert to java default keystore. Assume the location of the default keystore is ''C:\Java\jdk1.8.0_191\jre\lib\security\cacerts'', and assume we are in the directory where the CA public cert file ca.crt. Open the command prompt with ''Administrator'' rights. keytool -import -file ca.crt -keystore C:\Java\jdk1.8.0_191\jre\lib\security\cacerts It will ask for the keystore password, and the default one is ''changeit''. It will also ask you to confirm to import the cert file. Make sure you answer ''Yes''. ===== Create a Java Truststore from CA.crt ===== keytool -import -file ca.crt -alias myCA -keystore ca.trustStore ===== Cer to Crt (DER encode to PEM)===== One the cer file, if it start with ''-----BEGIN CERTIFICATE-----'', just rename it, else do: openssl x509 -inform DER -in ssl_certificate.cer -out ssl_certificate.crt ===== Crt to Cer (PEM to DER)===== openssl x509 -in cert.crt -outform der -out cert.cer ===== Trouble Shooting ===== - Can't open config file: /usr/local/ssl/openssl.cnfset OPENSSL_CONF=C:\.........\apache\Apache2.4.4\conf\openssl.cnf - unable to write 'random state' for windows set RANDFILE=.rnd - unable to write 'random state' for linux sudo rm ~/.rnd - Check the CRT file openssl x509 -in certificate.crt -text -noout, and you will see the details of the crt display on screen - Check the CRS file openssl req -text -noout -verify -in CSR.csr, and you will see the details of the csr display on screen