Create own CA and CA signed certificates

      No Comments on Create own CA and CA signed certificates

To provide your own SSL extensions create one extension file containing below details

x509.ext file:

[ ca ]
 # X509 extensions for a ca
 keyUsage                = critical, cRLSign, keyCertSign
 basicConstraints        = CA:TRUE, pathlen:0
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 
 [ server ]
 # X509 extensions for a server
 keyUsage                = critical,digitalSignature,keyEncipherment
 extendedKeyUsage        = serverAuth,clientAuth
 basicConstraints        = critical,CA:FALSE
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid,issuer:always
 subjectAltName = @alt_names
 
[alt_names] 
DNS.1 = server1.example.com

Create Private key for CA

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout CA.key -out CA.csr

Generate CA certificate from CA private key

openssl x509 -req -sha256 -extfile x509.ext -extensions ca -in CA.csr -signkey CA.key -days 1095 -out CA.pem

Generate certificate request for server

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout www.example.com.key -out www.example.com.csr

Generate certificate using CSR

openssl x509 -req -sha256 -CA CA.pem -CAkey CA.key -days 730 -CAcreateserial -CAserial CA.srl -extfile x509.ext -extensions server -in www.example.com.csr -out www.example.com.pem

Generate pfx Keystore from the PEM file

openssl pkcs12 -export -out certificate.pfx -inkey www.example.com.key -in www.example.com.pem

Convert PFX Keystore to JKS Keystore

keytool -importkeystore -srckeystore c2198-node2.squadron.support.hortonworks.com.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Create Truststore from CA certificate

keytool -import -alias rootca -file CA.pem -storetype JKS -keystore truststore.jks

Leave a Reply