Create own CA and CA signed certificates

To provide your own SSL extensions create one extension file containing below details

x509.ext file:

[ ca ]
 # X509 extensions for a ca
 keyUsage                = critical, cRLSign, keyCertSign
 basicConstraints        = CA:TRUE, pathlen:0
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 [ server ]
 # X509 extensions for a server
 keyUsage                = critical,digitalSignature,keyEncipherment
 extendedKeyUsage        = serverAuth,clientAuth
 basicConstraints        = critical,CA:FALSE
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid,issuer:always
 subjectAltName = @alt_names
DNS.1 =

Create Private key for CA

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout CA.key -out CA.csr

Generate CA certificate from CA private key

openssl x509 -req -sha256 -extfile x509.ext -extensions ca -in CA.csr -signkey CA.key -days 1095 -out CA.pem

Generate certificate request for server

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout -out

Generate certificate using CSR

openssl x509 -req -sha256 -CA CA.pem -CAkey CA.key -days 730 -CAcreateserial -CAserial -extfile x509.ext -extensions server -in -out

Generate pfx Keystore from the PEM file

openssl pkcs12 -export -out certificate.pfx -inkey -in

Convert PFX Keystore to JKS Keystore

keytool -importkeystore -srckeystore -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Create Truststore from CA certificate

keytool -import -alias rootca -file CA.pem -storetype JKS -keystore truststore.jks

Leave a Comment