Bryan Saunders

Generating Self-signed Certificates for use in Java

There are different ways of creating a self-signed certificate, such as using Java keytool. I prefer openSSL because the keys and certificates generated this way are more standardized and can be used for other purposes. Follow the steps below to generate a self-signed SSL certificate for use when testing SSL applications and servers.

Update If you need to create self signed certificates for use in Java and are running Linux, I have developed a Shell Script you can use. You can find the source and instructions on GitHub.
Update If you need self-signed certificates for Mutual Authentication, please see my follow-up article.

1) Create a host private key using openSSL

openssl genrsa -out HOSTNAME-private.pem 2048
This private key is 2048 bits long, generated using the RSA algorithm, and we choose not to protect it with an additional passphrase because the key will be used with a server certificate. The name of the private key is HOSTNAME-private.pem where HOSTNAME should be replaced by the name of the machine you intend to use the certificate.

1.1) Derive the public key using openSSL

openssl rsa -in HOSTNAME-private.pem -pubout  > HOSTNAME-public.pem
This step is not necessary, unless you want to distribute the public key to others.

2) Create a self-signed X509 certificate

openssl req -new -x509 -key HOSTNAME-private.pem -out HOSTNAME-certificate.pem -days 365
Then you will be prompted to enter a few pieces of information, use “.” if you wish to leave the field blank.
Country Name (2 letter code) []: US
State or Province Name (full name) []: South Carolina
Locality Name (eg, city) []: Charleston
Organization Name (eg, company) []: Red Hat
Organizational Unit Name (eg, section) []: Consulting
Common Name (eg, YOUR name) []: HOSTNAME
Email Address []:.
NOTE: The field Common Name is quite important here. It is the hostname of the machine you are trying to certify with the certificate, which is the name in the DNS entry corresponding to your machine IP.

3) Create a PKCS12 keystore and import the host certificate

openssl pkcs12 -export -out keystore.pkcs12 -in HOSTNAME-certificate.pem -inkey HOSTNAME-private.pem
Provide a password when prompted.

4) Convert the PKCS12 keystore to Java keystore using Java keytool

keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Keytool will first ask you for the new password for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
It will output the number of entries successfully imported, failed, and cancelled. If nothing went wrong, you should have another keystore file: keystore.jks.

keystore.jks is the file that you will want to use in your java applications and servers.

References

Published

03 July 2012

Tags