Below are the different ways
Existing Private key is used to generate Certificate
openssl req -key private.key -new -x509 -days 1460 -out domain.crt
Generate private key and self-signed certifcate together
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout private.key -days 365 -out domain.cert
Now you have private key and certificate in PEM format (ASCII)
Both of private key & certificate files can be contained in a single file JKS or P12 or PEM (un-encrypted)
Create P12 file from private key and certificate
It's also called PFX
openssl pkcs12 -export -name arpit -in domain.crt -inkey private.key -out keystore.p12
Create JKS from private key and certificate
not possible
Convert P12 to JKS
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias arpit
Convert P12 to PEM
openssl pkcs12 -in keystore.p12 -out keystore.pem -nodes
Create JKS
This will create private key on the fly
keytool -genkey -keyalg RSA -alias arpit -keystore keystore.jks -validity 1460 -keysize 2048
Convert JKS to P12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
Extract Certificate from JKS
keytool -exportcert -rfc -alias arpit -keystore keystore.jks -file domain.crt
Extract Private Key from PKCS12
openssl pkcs12 -in keystore.p12 -nocerts -out private.key
Extract Certificate from PKCS12
openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out domain.pem
Generate 4096 bits RSA private key
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:4096
Remove password from Private key
openssl rsa -in id_rsa -out id_rsa_new
List details of JKS
keytool -v -list -keystore keystore.jks
View details of certificate
keytool -printcert -file domain.crt
openssl x509 -text -in domain.crt
View Details of P12 file
keytool -list -keystore keystore.p12 -storetype PKCS12 -v
View details of CSR
openssl req -noout -text -in server.csr
CRT/CERT consists info about "Issued to" and "Issued By"
The Authority (Issued By) is called CA
Buyer should generate CSR using his private key. Fill CN (Common Name) as IP Address or domain
openssl req -new -key client.key -out client.csr
He will give this CSR to Trusted Authorities(Issued By). They will have already generated their CERT and Private Key with CN as there Company Name
They will sign your CSR with their CERT and private key
If you are a Authority, maintain the serial order
Below is the command they use to sign your CSR
openssl x509 -req -days 1460 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
client.crt will be emailed to him.
This Authority provides signed certificate for free. In other words, signs our CSR for free.
You will have to configure subdomain DNS TXT record for this to work
See https://serverfault.com/a/1012254
You can install certbot command in your laptop
sudo certbot -d \*.msmartpay.in -d msmartpay.in --manual --preferred-challenges dns certonly
or use Docker image
docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -p 80:80 certbot/certbot certonly
Signing aab or apk
Google play accepts files to be signed with upload-key
Sign with existing jks file
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore keystore.jks -storepass 'arpit_storepass' -keypass 'arpit_aliaspass' app-release.aab arpit_alias
jarsigner -verbose -sigalg SHA256withRSA -digestalg SHA-256 -keystore keystore.jks -storepass arpit1997 -keypass arpit1997 ~/Desktop/distributor.aab upload
Verify if aab or apk is singed or not
jarsigner -verify -certs -verbose app-release.aab