Create own CA and CA signed certificates

      No Comments on Create own CA and CA signed certificates

To provide your own SSL extensions create one extension file containing below details

x509.ext file:

[ ca ]
 # X509 extensions for a ca
 keyUsage                = critical, cRLSign, keyCertSign
 basicConstraints        = CA:TRUE, pathlen:0
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 [ server ]
 # X509 extensions for a server
 keyUsage                = critical,digitalSignature,keyEncipherment
 extendedKeyUsage        = serverAuth,clientAuth
 basicConstraints        = critical,CA:FALSE
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid,issuer:always
 subjectAltName = @alt_names
DNS.1 =

Create Private key for CA

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout CA.key -out CA.csr

Generate CA certificate from CA private key

openssl x509 -req -sha256 -extfile x509.ext -extensions ca -in CA.csr -signkey CA.key -days 1095 -out CA.pem

Generate certificate request for server

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout -out

Generate certificate using CSR

openssl x509 -req -sha256 -CA CA.pem -CAkey CA.key -days 730 -CAcreateserial -CAserial -extfile x509.ext -extensions server -in -out

Generate pfx Keystore from the PEM file

openssl pkcs12 -export -out certificate.pfx -inkey -in

Convert PFX Keystore to JKS Keystore

keytool -importkeystore -srckeystore -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Create Truststore from CA certificate

keytool -import -alias rootca -file CA.pem -storetype JKS -keystore truststore.jks

Leave a Reply