Creating Self-Signed Certificate
Read on to view a step-by-step tutorial on how to create a Self Signed Certificate. This includes instructions on how to create a pk12 certificate and how to convert it.
Join the DZone community and get the full member experience.
Join For FreeAs MuleSoft developers, we often use signed certificates when exposing a service. I thought it would be helpful if I share the commands to create a pk12 certificate and also how to convert it to jks.
Step 1
Verify OpenSSL installed or not
$ which openssl
/usr/bin/openssl
$
#If not installed use
$ brew install openssl
If you are using Microsoft(r) Windows, check out http://gnuwin32.sourceforge.net/packages/openssl.htm for details about the openssl
package on Windows.
Step 2
Create RSA Private Key
# The below command will create a file named 'server.pass.key' and place it in the same folder where the command is executed.
$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
# The below command will use the 'server.pass.key' file that just generated and create 'server.key'.
$ openssl rsa -passin pass:x -in server.pass.key -out server.key
# We no longer need the 'server.pass.key'
$ rm server.pass.key
$
Step 3
Create the Certificate Signing Request (CSR), utilizing the RSA private key we generated in the last step.
# The below command will ask you for information that would be included in the certificate. Since this is a self-signed certificate, there is no need to provide the 'challenge password' (to leave it blank, press enter).
$ openssl req -new -key server.key -out server.csr
You will be asked for additional details. Fill them and press enter.
Step 4
Generate a file named v3.ext
with the below-listed contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-step>
$
for multiple domains names subjectAltName can be used
[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-step>
DNS.2 = <domain name 2>
Step 5
Create the SSL Certificate, utilizing the CSR created in the last step.
$ openssl x509 -req -sha256 -extfile v3.ext -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=<country>/ST=<state>/L=<locality>/O=<organization-name>/OU=<organization-unit-name>/CN=<common-name-probably-server-fqdn>/emailAddress=<email-address-provided-while-generating-csr>
Getting Private key
$
Step 6
Creating P12
openssl pkcs12 -export -name servercert -in server.crt -inkey server.key -out myp12keystore.p12
Converting P12 to JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Opinions expressed by DZone contributors are their own.
Comments