11 Dec 2013

Create a new keystore to host a server ssl certificate

Written by fabio

Few basic steps to create a complete keystore to host a server SSL certificate.

  • Create your custom self-signed CA if not yet available a trusted one
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.cer -config openssl.cnf
  • Generate your server private key
keytool -genkey -alias server -dname "CN=www.tirasa.net, OU=ITC, O=Tirasa, L=Pescara, ST=Italy, C=IT" -storepass password -keystore keystore -keyalg RSA -keypass password
  • Import the CA create above into your new keystore
keytool -import -alias ca -file ca.cer  -keypass password -keystore keystore -storepass password
  • Generate your certificate request
keytool -certreq -alias server -keyalg RSA -file tirasa.req -keypass password -keystore keystore -storepass password
  • Sign request with your CA
openssl ca -config openssl.cnf -days 3650 -cert ca.cer -keyfile ca.key -out tirasa.pem -infiles tirasa.req
  • Modify server certificate.
    Remove all excluding what inside BEGIN/END CERTIFICATE
              -----END CERTIFICATE-----
  • Genberate DER certificate from your modified PEM
openssl x509 -in tirasa.pem -outform DER -out tirasa.der
  • Import DER certificate.
    Make sure to use the same alias used for the private key.
keytool -import -alias server -file tirasa.der -keypass password -keystore keystore -storepass password

« Return