-
Create a working directory under /opt/rootCA (you can put this anywhere it really doesn’t matter but you should secure this). Also create the following subdirectories: private, certs, newcerts.
-
Change the permissions on the new rootCA folder so that it’s read-only for everyone else but your user
chmod -R 700 /opt/rootCA
Find an existing openssl.cnf file on your system and copy to /opt/rootCA. This will create a templated configuration file for your CA
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config /opt/rootCA/openssl.cf
This private key will be for the server that you are requesting the new cert for.
keytool -genkey -alias alias -keyalg RSA -keysize 2048 -dname “cn=servername.example.com,dc=example,dc=com” -keypass keypass -keystore ./keystore.jks -storepass storepass -validity 3650
- Note: Can add a SAN to the csr by using the -ext parameter. E.g. -ext "san=dns:app1.example.com"
Now create a certificate request (csr) from your server
keytool -certreq -v -alias alias -file servername.csr -keypass keypass -storepass storepass -keystore ./keystore.jks
openssl ca -config /opt/rootCA/openssl.cfg -in servername.csr -out /opt/rootCA/newcerts/servername.pem
Assuming that you have added extensions in the openssl.cnf file that should be included in the signed cert (e.g. SAN)
[ v3_req ]
# Extensions to add to a certificate request
basicContraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subectAltName = @alt_names
[alt_names]
DNS.1 = app1.example.com
DNS.3 = app2.example.com
then from the command line:
openssl ca -config rootCA/openssl.cnf -in app1-example-com.csr -extensions v3_req -out rootCA/newcerts/app1-example-com.pem
openssl x509 -outform der -in servername.pem -out servername.der
keytool -import -v -alias alias -file servername.der -keystore ./keystore.jks -keypass keypass -storepass storepass