-
Notifications
You must be signed in to change notification settings - Fork 3
Certificate Generation
Brief guide in creating your own Certificate Authority (CA) and generating your own self-signed certificates (both in JKS and PEM formats). You can simply copy and execute the code snippets - just ensure you change the password.
To create your own certificate authority (CA), you need to generate a private key and a self-signed root certificate. These will be used to sign the server certificates.
You need a private key for your CA. This private key will be used to sign certificates. Use the following command to generate the private key for the CA:
openssl genpkey -algorithm RSA -out ca.key -aes256 -passout pass:your_password -pkeyopt rsa_keygen_bits:2048
This will create a private key (ca.key) with AES256 encryption.
Once you have the private key, generate a self-signed certificate for your CA:
openssl req -key ca.key -new -x509 -out ca.crt -days 3650 -passin pass:your_password
This command will ask for information such as the country, state, and organization. You can fill it in as needed or just press Enter for defaults. This will create the root certificate (ca.crt).
Now that you have your CA set up, you can generate a private key for the server that will use your CA to sign the certificate.
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
Next, create a CSR using the server's private key. This CSR will be sent to the CA for signing.
bash openssl req -new -key server.key -out server.csr
This will ask you for information about the server (like domain name). Be sure to use the correct Common Name (CN), which should match the server's hostname.
Now that you have the CSR, you can sign it with your CA to generate a signed certificate.
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -passin pass:your_password
This will generate the server certificate (server.crt), signed by your CA (ca.crt).
You likely already have the server certificate and key in PEM format. If not, convert them as follows:
openssl rsa -in server.key -out server.pem
cat server.crt server.pem > server_full.pem
Now you have the full server certificate and private key in PEM format (server_full.pem).
Java KeyStore (JKS) is the format commonly used by Java applications to store cryptographic keys and certificates. To convert the certificates into JKS format, you’ll need to use the keytool utility that comes with Java.
keytool -import -alias myca -file ca.crt -keystore keystore.jks
This command will ask for a password for the keystore (keystore.jks), which you will use to secure the keystore.
You will need to convert the private key and certificate into a format that keytool can handle. One way to do this is to first create a PKCS12 keystore that contains the private key and the signed certificate.
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name server -CAfile ca.crt -caname root
This will create a PKCS12 file (server.p12) that contains the server certificate and private key.
Now, import this PKCS12 keystore into a Java KeyStore:
keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
You’ll need to provide the passwords for the PKCS12 keystore and the JKS keystore during this process.
Now that you have both PEM and JKS certificates, you can use them in your application. Verify the contents of your JKS keystore with:
keytool -list -keystore keystore.jks
You can also verify the PEM certificates:
openssl x509 -in server.crt -text -noout
That is the essence of it and now you have a CA, a server certificate signed by that CA, and both the JKS and PEM formats for your certificates and keys. You can use the JKS in Ermis Server (which is written predominantly in Java) and the PEM format in other sections of the server like Go, Node.js etc.
"Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say"
— Dr. Edward Snowden