Scribd
Upload
93 views3 pages

Generate SSL Certificate with OpenSSL

This document provides steps to generate an SSL certificate for a server. It involves: 1. Installing OpenSSL if not already present 2. Creating an RSA private key 3. Generating a Certificate Signing Request (CSR) using the private key 4. Creating an SSL certificate by signing the CSR 5. Optional steps to create a PKCS12 keystore and convert it to a JKS format for use in Java

Uploaded by

Lav Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
93 views3 pages

Generate SSL Certificate with OpenSSL

This document provides steps to generate an SSL certificate for a server. It involves: 1. Installing OpenSSL if not already present 2. Creating an RSA private key 3. Generating a Certificate Signing Request (CSR) using the private key 4. Creating an SSL certificate by signing the CSR 5. Optional steps to create a PKCS12 keystore and convert it to a JKS format for use in Java

Uploaded by

Lav Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Generating SSL

Step 1
Verify OpenSSL installed or not
$ which openssl

#if not installed use following command in linux


$ brew install openssl

Step 2
Create RSA Private Key
# The below command will create a file named '[Link]' and place
it in the same folder where the command is executed. Here pass:x, x is
the password

$ openssl genrsa -des3 -passout pass:x -out [Link] 2048

# The below command will use the '[Link]' file that just
generated and create '[Link]'.

$ openssl rsa -passin pass:x -in [Link] -out [Link]

# We no longer need the '[Link]'


$ rm [Link]

Step 3
Create the Certificate Signing Request (CSR), utilizing the RSA private
key we generated in the last step.
# The below command will ask you for information that would be included
in the certificate. Since this is a self-signed certificate, there is no
need to provide the 'challenge password' (to leave it blank, press
enter).

$ openssl req -new -key [Link] -out [Link]

You will be asked for additional details. Fill them and press enter.
Step 4
Generate a file named [Link] with the below-listed contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-
step>

for multiple domains names subjectAltName can be used


[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-
csr-in-the-last-step>
DNS.2 = <domain name 2>

Step 5
Create the SSL Certificate, utilizing the CSR created in the last step.
$ openssl x509 -req -sha256 -extfile [Link] -days 365 -in [Link]
-signkey [Link] -out [Link]

Signature ok
subject=/C=<country>/ST=<state>/L=<locality>/O=<org
anization-name>/OU=<organization-unit-name>/CN=<common-name-
probably-server-fqdn>/emailAddress=<email-address-provided-while-
generating-csr>
Getting Private key
$

If you have not ext file then five the following command to generate SSL
Certificate
$ openssl x509 -req -sha256 -days 365 -in [Link] -signkey [Link]
-out [Link]
Step 6
Creating P12
$ openssl pkcs12 -export -name servercert -in [Link] -inkey
[Link] -out myp12keystore.p12

Converting P12 to JKS


keytool -importkeystore -destkeystore [Link] -srckeystore
myp12keystore.p12 -srcstoretype pkcs12 -alias servercert

In windows, first you have to download the openssl from the official site and
extract that zip file and set the path on cmd run as admin mode
set OPENSSL_CONF=path of the open SSL\openssl-0.9.8k_X64\[Link]

You might also like