tslcert:creating_cert

Creating Cert

CA Private Public Keys

In the real word we do not have to create those. There are CAs in this world that will sign our Certificate Signing Request (csr) with charge. But for privately use, we might need so. We will use openssl for doing so. Private Key: 

openssl genrsa -aes256 -out ca.key 4096

Public Key: 

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Server Private Key and CSR

We need to generate private key, and the corresponding CSR. 

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Server Public Key

At this point in the real world, we need to send the csr to the CA to sign for the server public key, and the CA will do the rest, and then send us back the signed public key.

But for a self signed one, we need to DIY: 

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Convert Key from PEM format to PKCS12

Now that we have the server.crt, server.key, and the CA's public cert, we can convert it to pkcs12 format for, JBOSS, web browser for instance. 

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Adding CA Public Certificate to Java Keystore

Java provides keytool binary for cert related functions, and once of those is to import cert to java default keystore. Assume the location of the default keystore is C:\Java\jdk1.8.0_191\jre\lib\security\cacerts, and assume we are in the directory where the CA public cert file ca.crt. Open the command prompt with Administrator rights. 

keytool -import -file ca.crt -keystore C:\Java\jdk1.8.0_191\jre\lib\security\cacerts

It will ask for the keystore password, and the default one is changeit. It will also ask you to confirm to import the cert file. Make sure you answer Yes.

Create a Java Truststore from CA.crt

keytool -import -file ca.crt -alias myCA -keystore ca.trustStore

Cer to Crt (DER encode to PEM)

One the cer file, if it start with —–BEGIN CERTIFICATE—–, just rename it, else do: 

openssl x509 -inform DER -in ssl_certificate.cer -out ssl_certificate.crt

Crt to Cer (PEM to DER)

openssl x509 -in cert.crt -outform der -out cert.cer

Trouble Shooting

  1. Can't open config file: /usr/local/ssl/openssl.cnf
    set OPENSSL_CONF=C:\.........\apache\Apache2.4.4\conf\openssl.cnf
  2. unable to write 'random state' for windows 
    set RANDFILE=.rnd
  3. unable to write 'random state' for linux 
    sudo rm ~/.rnd
  4. Check the CRT file 
    openssl x509 -in certificate.crt -text -noout

    , and you will see the details of the crt display on screen

  5. Check the CRS file 
    openssl req -text -noout -verify -in CSR.csr

    , and you will see the details of the csr display on screen

  • tslcert/creating_cert.txt
  • Last modified: 2020/06/02 09:37
  • by chongtin