How to create own self-signed root certificate and intermediate CA to be imported in Java keystore?

Question

How to create self-signed root certificate and intermediate CA to be imported in Java keystore?

We will use this for SSL and TLS, and later for Client certificate ba

Answer 1

Based on the following guide, special thanks to Jamie Nguyen for making a guide which made this possible, thank you!

By following the guide on https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/ do the following :

• Install OpenSSL for Windows: http://slproweb.com/products/Win32OpenSSL.html

• Add the bin folder to the environment variable PATH

• Create a directory for the certificates, I will call this cert-test

• Use the following openssl.cfg data for the [ CA_default ] tag:

this

[ CA_default ]
dir        = .    # Where everything is kept
certs        = $dir/certs                # Where the issued certs are kept
crl_dir    = $dir/crl                # Where the issued crl are kept
database    = $dir/index.txt            # database index file.
new_certs_dir    = $dir/newcerts            # default place for new certs.

certificate    = $dir/cacert.pem                # The CA certificate
serial        = $dir/serial                # The current serial number
crl        = $dir/crl.pem                # The current CRL
private_key    = $dir/private/ca.key.pem       # The private key
RANDFILE    = $dir/.rnd     # private random number file

• create the directories in cert_test: certs crl newcerts private

• use following commands to create

Root CA:

openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096

openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem

• create folder intermediate

• create folders certs crl newcerts private

• create file index.txt

• create file serial and write a number into it like 1000

• execute following

commands:

openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096

openssl req -config intermediate/openssl.cfg -sha256 -new -key intermediate/private/intermediate.key.pem -out intermediate/certs/intermediate.csr.pem

openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions v3_ca -notext -md sha256 -in intermediate/certs/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem

• Create chain file with

cat:

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

• Creating JKS file from chain with

keytool:

keytool -importkeystore -srckeystore ia.p12 -srcstoretype PKCS12 -destkeystore ia.jks

keytool -import -noprompt -trustcacerts -alias test_certificate -file ia.crt -keystore ia.jks -storepass helloworld

keytool -importcert -alias test_cert_ca -keystore "c:\Program Files\Java\jdk1.8.0\jre\lib\security\cacerts" -file ca.crt

keytool -importcert -alias test_cert_ia -keystore "c:\Program Files\Java\jdk1.8.0\jre\lib\security\cacerts" -file ia.crt

And you might have to import the CA cert into the ia.jks.