# mkdir certs # cd certs ~certs$
# openssl genrsa 4096 > ca-key.pem Generating RSA private key, 4096 bit long modulus .....+++ ...............................................................................................................................................................+++ e is 65537 (0x10001)
# openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Joshua Tree
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanyname
Organizational Unit Name (eg, section) []:mygroupname
Common Name (e.g. server FQDN or YOUR name) []:fortressdemo2.com
Email Address []:
# openssl req -newkey rsa:4096 -days 1825 -nodes -keyout server-key.pem -out server-req.pem Generating a 4096 bit RSA private key ................................................................................................................................................+++ ........................+++ writing new private key to 'server-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Joshua Tree Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanyname Organizational Unit Name (eg, section) []:mygroupname Common Name (e.g. server FQDN or YOUR name) []:fortressdemo2.com <- name you specify here must match the value entered in Set Hostname Entry Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:changeit An optional company name []:
# openssl rsa -in server-key.pem -out server-key.pem writing RSA key
# openssl x509 -req -in server-req.pem -days 1825 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem Signature ok subject=/C=US/ST=California/L=Joshua Tree/O=mycompanyname/OU=mygroupname/CN=Shawn McKinney
# ls ca-cert.pem server-cert.pem server-key.pem
The export password must be entered as 'source keystore password' on next step.# openssl pkcs12 -export -name fortressDemo2ServerCACert -in server-cert.pem -inkey server-key.pem -out mykeystore.p12 Enter Export Password: Verifying - Enter Export Password:
The value for the keystore's destination password must be placed inside tomcat server.xml later in this tutorial.# keytool -importkeystore -destkeystore mykeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -alias fortressDemo2ServerCACert -deststoretype pkcs12 Enter destination keystore password: Enter source keystore password:
Step through the prompts...# keytool -import -alias fortressDemo2ServerCACert -file ca-cert.pem -keystore mytruststore -deststoretype pkcs12
Remember the value for the truststore's password. It maps to the fortress property named, 'trust.store.password', later in this tutorial.Enter keystore password: Re-enter new password: Owner: CN=fortressdemo2.com, OU=mygroupname, O=mycompanyname, L=Joshua Tree, ST=California, C=US Issuer: CN=fortressdemo2.com, OU=mygroupname, O=mycompanyname, L=Joshua Tree, ST=California, C=US Serial number: fae6c81e389bbeef Valid from: Tue Aug 05 08:47:43 PDT 2014 until: Thu Jun 13 08:47:43 PDT 2024 Certificate fingerprints: MD5: 8E:DF:5F:4E:CB:ED:33:E7:72:1E:76:D8:15:60:48:A5 SHA1: 18:35:4E:32:10:4D:D2:D4:52:A0:70:31:CE:1D:99:AB:14:23:EC:8C SHA256: C6:37:4F:E5:59:C7:4B:DF:E2:FE:BA:7D:93:7C:03:FA:29:12:8F:F1:53:EF:E6:B5:5F:09:A4:53:6A:5F:C4:04 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: AE C6 DD DE 82 84 4D 0E 48 FB CF 79 40 16 D1 3A ......M.H..y@..: 0010: 00 D3 16 4B ...K ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: AE C6 DD DE 82 84 4D 0E 48 FB CF 79 40 16 D1 3A ......M.H..y@..: 0010: 00 D3 16 4B ...K ] ] Trust this certificate? [no]: yes Certificate was added to keystore
# ls ca-cert.pem ca-key.pem mykeystore mykeystore.p12 mytruststore server-cert.pem server-key.pem server-req.pem
This is free and unencumbered software released into the public domain.