Deep dive into various configurations with Oracle Weblogic Server

  • August 18, 2015

Steps to create a self-signed certificate using OpenSSL

Puneeth Prakash
Principal Software Engineer

Below are the steps to create a self-signed certificate using OpenSSL :

STEP 1 :

Create a private key and public certificate using the following command :

Command : openssl req -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem -days 3650 

In the above command :

- If you add "-nodes" then your private key will not be encrypted.

- cakey.pem is the private key

- cacert.pem is the public certificate

STEP 2 :

Use the following java utility to create a JKS keystore : 

Command : java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfilepass privatepassword -certfile cacert.pem -keyfile cakey.pem -alias mykey 

Alternatively, you can use the following commands to create a PKCS12 / JKS file : 

STEP 2a :

Create a PKCS12 keystore :

Command : openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name "mykey" 

In the above command :

- "-name" is the alias of the private key entry in keystore. 

STEP 2b :

Now convert the PKCS12 keystore to JKS keytstore using keytool command : 

Command : keytool -importkeystore -destkeystore identity.jks -deststorepass password -srckeystore identity.p12 -srcstoretype PKCS12 -srcstorepass password 

STEP 3 :

Create a trust keystore using the following command :

Command : keytool -import -file cacert.pem -keystore trust.jks -storepass password

<Additional Info>

- To view the public certificate :

 openssl x509 -in cacert.pem -noout -text

- To concatenate the private key and public certificate into a pem file (which is required for many web-servers ) :

 cat cakey.pem cacert.pem > server.pem  

Join the discussion

Comments ( 1 )
  • Sarang Ratnalikar Wednesday, November 4, 2020
    Thanks. Very helpful :)
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.