Create own CA and CA signed certificates

To provide your own SSL extensions create one extension file containing below details

x509.ext file:

[ ca ]
 # X509 extensions for a ca
 keyUsage                = critical, cRLSign, keyCertSign
 basicConstraints        = CA:TRUE, pathlen:0
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 
 [ server ]
 # X509 extensions for a server
 keyUsage                = critical,digitalSignature,keyEncipherment
 extendedKeyUsage        = serverAuth,clientAuth
 basicConstraints        = critical,CA:FALSE
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid,issuer:always
 subjectAltName = @alt_names
 
[alt_names] 
DNS.1 = server1.example.com

Create Private key for CA

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout CA.key -out CA.csr

Generate CA certificate from CA private key

openssl x509 -req -sha256 -extfile x509.ext -extensions ca -in CA.csr -signkey CA.key -days 1095 -out CA.pem

Generate certificate request for server

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout www.example.com.key -out www.example.com.csr

Generate certificate using CSR

openssl x509 -req -sha256 -CA CA.pem -CAkey CA.key -days 730 -CAcreateserial -CAserial CA.srl -extfile x509.ext -extensions server -in www.example.com.csr -out www.example.com.pem

Generate pfx Keystore from the PEM file

openssl pkcs12 -export -out certificate.pfx -inkey www.example.com.key -in www.example.com.pem

Convert PFX Keystore to JKS Keystore

keytool -importkeystore -srckeystore c2198-node2.squadron.support.hortonworks.com.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Create Truststore from CA certificate

keytool -import -alias rootca -file CA.pem -storetype JKS -keystore truststore.jks

Leave a Comment