Creating self-signed certificates using OpenSSL and KeyTool

Although it is mandatory to go through a recognized CA (Certification Authority) in order to build trust between two parties, you definitely can create self-signed certificates in order to test your web application, which uses digital certificates for encryption and signing. There are mainly two popular tools in the industry to create self-signed certificates. 1. OpenSSL 2. Keytool Using OpenSSL 1. Generating the private key. There are two types of private keys. RSA and DSA. Creating the RSA private key: There is only one step.

1 1 1

openssl genrsa -out crish_private_key.pem 2048

Creating the DSA private key. There are two steps. openssl dsaparam -out crish_dsa_param.pem 2048 openssl gendsa -out crish_private_key.pem crish_dsa_param.pem

2. Generate the certificate using the generated private key.

openssl req -new -x509 -key crish_private_key.pem -out crish_cert.pem days 365

3. Convert the certificate to PKCS12 format. (Which is the keystore)

openssl pkcs12 -export -in crish_cert.pem -inkey crish_private_key.pem -out crish_cert.p12

4. Generating the CSR (Certificate Signing Request) when you need a valid CA assurance. You are required to send this CSR file to the selected CA and get a signed certificate.

openssl req -new -key crish_private_key.pem -out crish_certificate_request.csr

Reference: http://www.akadia.com/services/ssh_test_certificate.html

Using Keytool 1. Generating the key pair into a keystore (JKS) For RSA:
keytool -genkey -keyalg RSA -keysize 2048 -keystore crish_keystore.jks -alias crish

For DSA:
keytool -genkey -keyalg DSA -keysize 2048 -keystore crish_keystore.jks -alias crish

2. Generating the CSR.

keytool -certreq -alias crish -keystore crish_keystore.jks -file crish_certificate_request.csr

If you compare above methods, it is apparent that KeyTool has got less number of steps than OpenSSL. But, OpenSSL has the ability to import or export private keys using keystores. Reference: http://www.linux.com/archive/feed/37792?page=2 How to list a keystore contents?

keytool -list -v -keystore crish_keystore.jks -storepass password

The difference between the keystore and truststore A keystore contains private keys, and the certificates with their corresponding public keys. You only need this if the server requires the client authentication. A truststore contains certificates of other parties that you expect to communicate with. The keystore and truststore can be the same file. However, its usually easier to manage keys if they are separate: the truststore can contain the public certificates of trusted CAs and can be shared easily, while the keystore can contain the private key and certificate of the local server and can be stored in a protected location. If your servers certificate is signed by a recognized CA, the default truststore that ships with the JRE will already trust it (because it already trusts trustworthy CAs), so you dont need to build your own, or to add anything to the one the JRE.