SSL: Creating a self signed certificate

By Maurizio Farina | Posted on May 2018 |

This post is a brief guide on how to create a self signed SSL certificate using Java Keytool, a simple tool included in Java folder bin.

Many cases require to buy a trusted certificate but sometimes is possible togenerate and use a self signed certificate for free.

An SSL certificate is useful to verify the identity of the server; the data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

A self signed certificare is used for development or for applications installed and used inside an intranet.

Java keytool is a key and certificate management utility.

Generate a java keystore and key pair

Executing the following command allows to create a new certificate. The command prompots a list of questions to answer using your organization information.

1
keytool -genkey -alias mySSLSelfSigned -keyalg RSA -keystore ssl.keystore -storepass keystorepasswordhere -validity 360 -keysize 2048
  • genkey: Generates a key pair (a public key and associated private key). This certificate chain and the private key are stored in a new keystore entry identified by alias.
  • keyalg specifies the algorithm to be used to generate the key pair
  • keysize specifies the size of each key to be generated

Note

Generates a Certificate Signing Request (CSR) A CSR is used by certificate authority (CA) to authenticate the certificate requestor. The CA returns a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.
sh keytool -certreq -alias ssl-alias-name -file certreq.csr -keystore ssl.keystore`

List certificates

1
keytool -list -keystore ssl.keystore -v

Example: Configure wildfly

Note: Include below tags inside the ...

1
2
3
4
5
6
7
<security-realm name="SslRealm">
    <server-identities>
        <ssl>
            <keystore path="ssl.keystore" relative-to="jboss.server.config.dir"  keystore-password="keystorepasswordhere"/>
        </ssl>
    </server-identities>
</security-realm>

Note: add the below tags inside ...

1
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>

Try to open your URL using port 6443.

The Most common Java Keytool Commands

Generate a Java keystore and key pair

1
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Generate a certificate signing request (CSR) for an existing Java keystore

1
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

Import a root or intermediate CA certificate to an existing Java keystore

1
keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

Import a signed primary certificate to an existing Java keystore

1
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks