Scribd
Upload
71 views

Generating SSL Step 1: Verify Openssl Installed or Not

This document provides steps to generate an SSL certificate for a server. It involves: 1. Installing OpenSSL if not already present 2. Creating an RSA private key 3. Generating a Certificate Signing Request (CSR) using the private key 4. Creating an SSL certificate by signing the CSR 5. Optional steps to create a PKCS12 keystore and convert it to a JKS format for use in Java

Uploaded by

Lav Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
71 views

Generating SSL Step 1: Verify Openssl Installed or Not

This document provides steps to generate an SSL certificate for a server. It involves: 1. Installing OpenSSL if not already present 2. Creating an RSA private key 3. Generating a Certificate Signing Request (CSR) using the private key 4. Creating an SSL certificate by signing the CSR 5. Optional steps to create a PKCS12 keystore and convert it to a JKS format for use in Java

Uploaded by

Lav Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Generating SSL

Step 1
Verify OpenSSL installed or not
$ which openssl

#if not installed use following command in linux


$ brew install openssl

Step 2
Create RSA Private Key
# The below command will create a file named 'server.pass.key' and place
it in the same folder where the command is executed. Here pass:x, x is
the password

$ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048

# The below command will use the 'server.pass.key' file that just
generated and create 'server.key'.

$ openssl rsa -passin pass:x -in server.pass.key -out server.key

# We no longer need the 'server.pass.key'


$ rm server.pass.key

Step 3
Create the Certificate Signing Request (CSR), utilizing the RSA private
key we generated in the last step.
# The below command will ask you for information that would be included
in the certificate. Since this is a self-signed certificate, there is no
need to provide the 'challenge password' (to leave it blank, press
enter).

$ openssl req -new -key server.key -out server.csr

You will be asked for additional details. Fill them and press enter.
Step 4
Generate a file named v3.ext with the below-listed contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-csr-in-the-last-
step>

for multiple domains names subjectAltName can be used


[alt_names]
DNS.1 = <specify-the-same-common-name-that-you-used-while-generating-
csr-in-the-last-step>
DNS.2 = <domain name 2>

Step 5
Create the SSL Certificate, utilizing the CSR created in the last step.
$ openssl x509 -req -sha256 -extfile v3.ext -days 365 -in server.csr
-signkey server.key -out server.crt

Signature ok
subject=/C=<country>/ST=<state>/L=<locality>/O=<org
anization-name>/OU=<organization-unit-name>/CN=<common-name-
probably-server-fqdn>/emailAddress=<email-address-provided-while-
generating-csr>
Getting Private key
$

If you have not ext file then five the following command to generate SSL
Certificate
$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key
-out server.crt
Step 6
Creating P12
$ openssl pkcs12 -export -name servercert -in server.crt -inkey
server.key -out myp12keystore.p12

Converting P12 to JKS


keytool -importkeystore -destkeystore mykeystore.jks -srckeystore
myp12keystore.p12 -srcstoretype pkcs12 -alias servercert

In windows, first you have to download the openssl from the official site and
extract that zip file and set the path on cmd run as admin mode
set OPENSSL_CONF=path of the open SSL\openssl-0.9.8k_X64\openssl.cnf

You might also like