Skip to content

Instantly share code, notes, and snippets.

@addomafi
Last active May 16, 2018 17:36
Show Gist options
  • Save addomafi/3e76a1c3b58d33fd59d910bda864e2b7 to your computer and use it in GitHub Desktop.
Save addomafi/3e76a1c3b58d33fd59d910bda864e2b7 to your computer and use it in GitHub Desktop.

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

If you want a non password protected key just remove the -des3 option

Create and self sign the Root Certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.

Create a certificate (Done for each server)

This procedure needs to be followed for each server/appliance that needs a trusted certificate from our CA

Create the certificate key

openssl genrsa -out mydomain.com.key 2048

Create the signing request

Important: Please mind that while creating the signign request is important to specify the Common Name providing the IP address or URL for the service, otherwise the certificate cannot be verified

openssl req -new -key mydomain.com.key -out mydomain.com.csr

Generate the certificate using the mydomain csr and key along with the CA Root key

openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256

Create a certificate with SAN Extension

Create a custom config file ssl.conf

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com

Generate an CSR file

openssl req -new -sha256 -nodes -out smiles.local.br.csr -newkey rsa:2048 -keyout smiles.local.br.key -reqexts SAN -config ssl.conf

Generate the certificate using the mydomain csr and key along with the CA Root key

openssl x509 -req -in smiles.local.br.csr -CA ../smilesRootCA.crt -CAkey ../smilesRootCA.key -CAcreateserial -out smiles.local.br.crt -days 500 -sha256 -extensions req_ext -extfile ssl.conf

Create a new keystore

Create PKCS12 keystore from private key and public certificate.

openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

Convert PKCS12 keystore into a JKS keystore

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

To verify the contents of the JKS, you can use this command:

keytool -list -v -keystore mykeystore.jks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment