Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out rootCA.key 4096
If you want a non password protected key just remove the -des3
option
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA
openssl genrsa -out mydomain.com.key 2048
Important: Please mind that while creating the signign request is important to specify the Common Name
providing the IP address or URL for the service, otherwise the certificate
cannot be verified
openssl req -new -key mydomain.com.key -out mydomain.com.csr
openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
openssl req -new -sha256 -nodes -out smiles.local.br.csr -newkey rsa:2048 -keyout smiles.local.br.key -reqexts SAN -config ssl.conf
openssl x509 -req -in smiles.local.br.csr -CA ../smilesRootCA.crt -CAkey ../smilesRootCA.key -CAcreateserial -out smiles.local.br.crt -days 500 -sha256 -extensions req_ext -extfile ssl.conf
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert
keytool -list -v -keystore mykeystore.jks