SSL: Creating a self signed certificate
By Maurizio Farina | Posted on May 2018 |
This post is a brief guide on how to create a self signed SSL certificate using Java Keytool, a simple tool included in Java folder bin.
Many cases require to buy a trusted certificate but sometimes is possible togenerate and use a self signed certificate for free.
An SSL certificate is useful to verify the identity of the server; the data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.
A self signed certificare is used for development or for applications installed and used inside an intranet.
Java keytool is a key and certificate management utility.
Generate a java keystore and key pair¶
Executing the following command allows to create a new certificate. The command prompots a list of questions to answer using your organization information.
keytool -genkey -alias mySSLSelfSigned -keyalg RSA -keystore ssl.keystore -storepass keystorepasswordhere -validity 360 -keysize 2048
- genkey: Generates a key pair (a public key and associated private key). This certificate chain and the private key are stored in a new keystore entry identified by alias.
- keyalg specifies the algorithm to be used to generate the key pair
- keysize specifies the size of each key to be generated
Generates a Certificate Signing Request (CSR)
A CSR is used by certificate authority (CA) to authenticate the certificate requestor. The CA returns a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
keytool -certreq -alias ssl-alias-name -file certreq.csr -keystore ssl.keystore`
keytool -list -keystore ssl.keystore -v
Example: Configure wildfly¶
Note: Include below tags inside the
1 2 3 4 5 6 7
<security-realm name="SslRealm"> <server-identities> <ssl> <keystore path="ssl.keystore" relative-to="jboss.server.config.dir" keystore-password="keystorepasswordhere"/> </ssl> </server-identities> </security-realm>
Note: add the below tags inside
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
Try to open your URL using port 6443.
The Most common Java Keytool Commands¶
Generate a Java keystore and key pair
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
Generate a certificate signing request (CSR) for an existing Java keystore
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks
Import a signed primary certificate to an existing Java keystore
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks