Steps to create a self-signed certificate using OpenSSL

Original Publish Date : 8/18/2015

Below are the steps to create a self-signed certificate using OpenSSL :

STEP 1 :

Create a private key and public certificate using the following command :

Command : openssl req -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem -days 3650 

In the above command :

– If you add “-nodes” then your private key will not be encrypted.

– cakey.pem is the private key

– cacert.pem is the public certificate

STEP 2 :

Use the following java utility to create a JKS keystore : 

Command : java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfilepass privatepassword -certfile cacert.pem -keyfile cakey.pem -alias mykey 

Alternatively, you can use the following commands to create a PKCS12 / JKS file : 

STEP 2a :

Create a PKCS12 keystore :

Command : openssl pkcs12 -export -in cacert.pem -inkey cakey.pem -out identity.p12 -name “mykey” 

In the above command :

– “-name” is the alias of the private key entry in keystore. 

STEP 2b :

Now convert the PKCS12 keystore to JKS keytstore using keytool command : 

Command : keytool -importkeystore -destkeystore identity.jks -deststorepass password -srckeystore identity.p12 -srcstoretype PKCS12 -srcstorepass password 

STEP 3 :

Create a trust keystore using the following command :

Command : keytool -import -file cacert.pem -keystore trust.jks -storepass password

<Additional Info>

– To view the public certificate :

 openssl x509 -in cacert.pem -noout -text

– To concatenate the private key and public certificate into a pem file (which is required for many web-servers ) :

 cat cakey.pem cacert.pem > server.pem