Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Create self-signed certificate with root and ca for development
rm *.jks 2> /dev/null
rm *.pem 2> /dev/null
echo "===================================================="
echo "Creating fake third-party chain root -> ca"
echo "===================================================="
# generate private keys (for root and ca)
keytool -genkeypair -alias root -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore root.jks -keypass password -storepass password
keytool -genkeypair -alias ca -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore ca.jks -keypass password -storepass password
# generate root certificate
keytool -exportcert -rfc -keystore root.jks -alias root -storepass password > root.pem
# generate a certificate for ca signed by root (root -> ca)
keytool -keystore ca.jks -storepass password -certreq -alias ca \
| keytool -keystore root.jks -storepass password -gencert -alias root -ext bc=0 -ext san=dns:ca -rfc > ca.pem
# import ca cert chain into ca.jks
keytool -keystore ca.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
keytool -keystore ca.jks -storepass password -importcert -alias ca -file ca.pem
echo "===================================================================="
echo "Fake third-party chain generated. Now generating my-keystore.jks ..."
echo "===================================================================="
# generate private keys (for server)
keytool -genkeypair -alias server -dname cn=server -validity 10000 -keyalg RSA -keysize 2048 -keystore my-keystore.jks -keypass password -storepass password
# generate a certificate for server signed by ca (root -> ca -> server)
keytool -keystore my-keystore.jks -storepass password -certreq -alias server \
| keytool -keystore ca.jks -storepass password -gencert -alias ca -ext ku:c=dig,keyEnc -ext "san=dns:localhost,ip:" -ext eku=sa,ca -rfc > server.pem
# import server cert chain into my-keystore.jks
keytool -keystore my-keystore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
keytool -keystore my-keystore.jks -storepass password -importcert -alias ca -file ca.pem
keytool -keystore my-keystore.jks -storepass password -importcert -alias server -file server.pem
echo "================================================="
echo "Keystore generated. Now generating truststore ..."
echo "================================================="
# import server cert chain into my-truststore.jks
keytool -keystore my-truststore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
keytool -keystore my-truststore.jks -storepass password -importcert -alias ca -file ca.pem
keytool -keystore my-truststore.jks -storepass password -importcert -alias server -file server.pem
Copy link

jamiehankins commented Aug 20, 2018

I realize this is from two years ago, but it's very helpful.

However, when it gets to the point where I'm trying to import the root certificate into the intermediate store, I get this:
keytool error: java.lang.Exception: Input not an X.509 certificate

Given that this is a pretty stale post, I don't expect a response, but if someone else sees it, they'll know they're not alone. I'll look for the solution and post it here if I find it and remember. :-)

Copy link

jamiehankins commented Aug 20, 2018

Update: when I look at root.pem with a hex editor, I see that it's UTF-16 (what Windows calls UNICODE). If I copy and paste it as UTF-8, then it imports it fine. That means something about how keytool pipes this out is causing it.

By the way, I'm using Powershell on Windows. That's probably the problem, somehow.

Copy link

jamiehankins commented Aug 20, 2018

Yes, the problem was Powershell. When you use the '>' operator to send output to a file, it's an alias for Out-File. Out-File writes as UTF-16 by default.

The answer is to replace "> root.pem" with "| Out-File root.pem -encoding ASCII".

Hopefully, this will help a weary traveller.

Copy link

andrejonathan commented Mar 7, 2019

Thank you , this is amazing

Copy link

mithun3 commented Jun 25, 2019

Thank you!

Copy link

arpcpro commented Aug 2, 2019

It seems promising since it uses keytool for the entire procedure. Unfortunately it does not create the client side *.crt file that I need. This way the clients browsers will always show the security warning since I cannot import the certificate to windows trusted certificate authorities.

Copy link

pagetronic commented Aug 20, 2019

Perfect ! Thank you!

Copy link

rroehrig commented Oct 22, 2019

Thanks but why do you use "-ext eku=sa,ca"?

Copy link

granella commented Oct 22, 2019

Thanks but why do you use "-ext eku=sa,ca"?

it's is an Extended Key Usage for TLS server authentication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment