Creating Cert

In the real word we do not have to create those. There are CAs in this world that will sign our Certificate Signing Request (csr) with charge. But for privately use, we might need so. We will use openssl for doing so. Private Key:

openssl genrsa -aes256 -out ca.key 4096

Public Key:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

We need to generate private key, and the corresponding CSR.

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr

At this point in the real world, we need to send the csr to the CA to sign for the server public key, and the CA will do the rest, and then send us back the signed public key.

But for a self signed one, we need to DIY:

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Now that we have the server.crt, server.key, and the CA's public cert, we can convert it to pkcs12 format for, JBOSS, web browser for instance.

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile ca.crt

Java provides keytool binary for cert related functions, and once of those is to import cert to java default keystore. Assume the location of the default keystore is C:\Java\jdk1.8.0_191\jre\lib\security\cacerts, and assume we are in the directory where the CA public cert file ca.crt. Open the command prompt with Administrator rights.

keytool -import -file ca.crt -keystore C:\Java\jdk1.8.0_191\jre\lib\security\cacerts

It will ask for the keystore password, and the default one is changeit. It will also ask you to confirm to import the cert file. Make sure you answer Yes.

keytool -import -file ca.crt -alias myCA -keystore ca.trustStore

One the cer file, if it start with —–BEGIN CERTIFICATE—–, just rename it, else do:

openssl x509 -inform DER -in ssl_certificate.cer -out ssl_certificate.crt
openssl x509 -in cert.crt -outform der -out cert.cer
  1. Can't open config file: /usr/local/ssl/openssl.cnf
    set OPENSSL_CONF=C:\.........\apache\Apache2.4.4\conf\openssl.cnf
  2. unable to write 'random state' for windows
    set RANDFILE=.rnd
  3. unable to write 'random state' for linux
    sudo rm ~/.rnd
  4. Check the CRT file
    openssl x509 -in certificate.crt -text -noout

    , and you will see the details of the crt display on screen

  5. Check the CRS file
    openssl req -text -noout -verify -in CSR.csr

    , and you will see the details of the csr display on screen

  • tslcert/creating_cert.txt
  • Last modified: 2020/06/02 09:37
  • by chongtin