Skip to main content Skip to complementary content

Using OpenSSL to create certificates

First, create the keys.

Information noteWarning: Replace sspass, skpass, cspass and ckpass in the example below with your own passwords.

Creating the service keystore

Note: given the rm commands below, it is probably best to create a new directory and navigate to it before running these commands from a terminal window.

rm *.p12 *.pem *.jks *.cer
            openssl req -x509 -days 36525 -newkey rsa:2048 -sha256 -keyout servicekey.pem -out
            servicecert.pem -passout pass:sspass
This command is interactive. Enter the answers for the following questions, for example: 
Country Name - US
               State or Province Name - New York
               Locality Name - Buffalo
               Organization Name - Sample Web Service Provider -- NOT FOR PRODUCTION
               Organizational Unit Name - IT Department
               Common Name - www.service.com
               Email Address - service@service.com
openssl pkcs12 -export -inkey servicekey.pem -in servicecert.pem -out 
            service.p12 -name myservicekey -passin pass:sspass -passout 
            pass:skpass

This creates a pkcs12 certificate. Note the skpass value will be used both for the keystore and the private key itself.

keytool -importkeystore -destkeystore servicestore.jks -deststoretype jks -deststorepass
            sspass -deststoretype jks -srckeystore service.p12 -srcstorepass
            skpass -srcstoretype pkcs12

This places the certificate in a new JKS keystore. The keystore's password is changed here to sspass, but the private key's password retains the earlier value of skpass.

keytool -list -keystore servicestore.jks -storepass sspass -v

The list command is just to show the keys presently in the keystore.

keytool -exportcert -alias myservicekey -storepass sspass -keystore 
            servicestore.jks -file service.cer
            keytool -printcert -file service.cer
            rm *.pem *.p12

Creating the client keystore

openssl req -x509 -days 36525 -newkey rsa:2048 -sha256 -keyout clientkey.pem 
            -out clientcert.pem -passout pass:cspass
This command is interactive. Enter the answers for the following questions, for example: 
Country Name - US
               State or Province Name - New York
               Locality Name - Niagara Falls
               Organization Name - Sample Client -- NOT FOR PRODUCTION
               Organizational Unit Name - IT Department
               Common Name - www.client.com
               Email Address - client@client.com
openssl pkcs12 -export -inkey clientkey.pem -in clientcert.pem 
            -out client.p12 
            -name myclientkey -passin pass:cspass -passout pass:ckpass
            keytool -importkeystore -destkeystore clientstore.jks -deststoretype jks -deststorepass  
            cspass -deststoretype jks -srckeystore client.p12 
            -srcstorepass ckpass -srcstoretype pkcs12
            keytool -list -keystore clientstore.jks -storepass cspass -v
            keytool -exportcert -alias myclientkey -storepass cspass -keystore 
            clientstore.jks -file client.cer 
            keytool -printcert -file client.cer
            rm *.pem *.p12

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here