Keystore management - Part II

In Part I of this, we discussed how you can create a signed certificate for your web server. There we got a certificate signed by VeriSign trial CA. This post discusses how you can create your own CA - where you can sign your certificate, your self. In other words this post simply replaces the steps 4, 5 & 6 of Part I.

Here we use OpenSSL to build the required CA infrastructure. For Windows you can download Win32 OpenSSL v0.9.8g from here.Once installed make sure you add C:\OpenSSL\bin [i.e [INSTALLED_LOCATION]\bin] to the PATH env variable.

1. First we need to create a private key for our CA

openssl genrsa -des3 -out CA_key.pem 2048

This creates a private key with length 2,048 bits. With -des3 switch, we specified that we wish to protect our private key with a password. So in the process of private key generation you'll be prompted to enter a pass phrase.

2. Now we need to create a public-key certificate for our CA with the private key generated in step 1

openssl req -new -key CA_key.pem -x509 -days 365 -out CA_cert.pem

With -x509 switch we ask to generate an X.509 certificate, and -days switch adds the generated certificate an expiration date. During the certificate generation you'll be asked few questions to populate the necessary certificate information.

3. All set..! Now you can sign your certificate which you created for your web server in Part I.

If you followed steps up to 3 in Part I you'll have the Certificate Signing Request with you --> csr-for-mycert.pem

You may recall, this is the file we used at VeriSign Trial CA to sign our certificate in Part I. Now we use the same CSR to create a signed certificate with our own CA

openssl x509 -req -days 365 -in csr-for-mycert.pem -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -out SignedCert.pem

This will output SignedCert.pem, which is your signed certificate.

With -CAcreateserial switch we enable the unique assignment of serial numbers to our issued certificates. Since this is the first certificate issued by our CA, a new file is created ( containing the number "02," which is the next serial number to be used when the next certificate is issued (serial number "01" was used by the first certificate). So when issuing subsequent certificates we should use the following command:

openssl x509 -req -days 365 -in csr-for-mycert2.pem -CA CA_cert.pem -CAkey CA_key.pem -CAserial -out new_SignedCert.pem

4. Import root CA certificate to the keystore

This replaces the steps 5 & 6 of Part I. Here we don't have a corresponding step to step 5, since in this case we do not have an Intermediate certificate.

So, lets add our CA root certificate to the keystore [remember - we created a keystore in Part I]

keytool -import -v -noprompt -trustcacerts -alias verisigndemocert -file CA_cert.pem -keystore mykeystore.jks -storepass mystorepassword

5. Now, lets add the signed certificate to our keystore.

keytool -import -v -alias myowncert -file SignedCert.pem -keystore mykeystore.jks -keypass mypkpassword -storepass mystorepassword