Useful commands for SSL certificates

Generate self signed certificate and export to truststore

1. Generate a certificate using keygen command in windows

keytool -genkey -alias myAlias -keyalg RSA -sigalg SHA256withRSA -keystore keystore.jks -validity 10950

2. Self certify the csertificate

keytool -selfcert -alias mycert-20161109 -keystore keystore.jks -validity 3950

3. Export certificate to folder

keytool -export -alias myAlias -keystore keystore.jks -rfc -file myCertificate.cer

4. Import Certificate into client truststore:

keytool -importcert -alias myAlias -file C:\certs\myCertificate.cer -keystore client.truststore

How to create java keystore file (.jks) from existing Key/Certificate

Use OpenSSL to P12 file from AIP certificate

sudo openssl pkcs12 -export -name keystore_cert -in myCertificate.crt -inkey my.key -out keystore.p12

Use Keytool to create .jks file from P12

sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias keystore_cert

Create a privatekey and certificate chain

1. The first keytool command creates the keystore, keystore.jks, which holds the Root CA certificate

keytool -import -alias root-cert -trustcacerts -file Root_CA.crt -keystore keystore.jks -storepass qweasd

2. Verify the contents of the keystore again

keytool -list -v -keystore keystore.jks -storepass qweasd

3. Chain server certificate to root certificate

keytool -import -alias myAlias -file myCertificate.cer -keystore keystore.jks

Display the contect of the certificate and keystore

keytool -printcert -file .\name_of_certificate.cer -storepass qweasd
keytool -list -v -storepass qweasd -keystore .\keystore.jks

How to configure SSL/TLS in Linux

Linux uses default certificates which are configured in /etc/httpd/conf.d/ssl.conf file in Linux. You need to replace them with your certificates in order to enable browsers to recognize them

Copy key (.key) to /etc/pki/tls/private/ and AIP certificate (.crt) to /etc/pki/tls/certs/

sudo cp /home/suleyman.yildirim/my.key  /etc/pki/tls/private/
sudo cp /home/suleyman.yildirim/my.crt  /etc/pki/tls/certs/

Open ssl configuration file

sudo vim /etc/httpd/conf.d/ssl.conf

Update SSLCertificateFile and SSLCertificateKeyFile

SSLCertificateFile /etc/pki/tls/certs/my.crt
SSLCertificateKeyFile /etc/pki/tls/private/my.key

Restart httpd service

sudo service httpd start

Leave a Reply

Your email address will not be published. Required fields are marked *