An SSL certificate was required for one of our customers. The SSL certificate was to be used with a Tomcat server, but I decided to give the customer the flexibility to re-use this certificate on a different webserver if needed. This meant I used openssl to generate the certificate and then created a pkcs12 keystore.
Create the private key and certificate request
Create the certificate key
openssl genrsa -des3 -out customercert.key 2048
Remove the passphrase from the key
openssl rsa -in customercert.key -out customercert.key.new
mv customercert.key.new customercert.key
Create the Certificate request
openssl req -new -key customercert.key -out customercert.csr
Create the Keystore file for use with tomcat and keytool
I had some trouble getting this to work. This is a very simple procedure when working with certs signed by GoDaddy, but certs from Verisign needed some extra hand-holding. There is some information on how to do this is found at http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips.
I did not follow the instructions on this site. I ended up creating a keystore in the pkcs12
format instead of the default jks
format. This site above does have instructions for converting a pkcs12
keystore to a jks
format, if you require.
The signed certificate was downloaded to clients.adaptivetcr.com.cer
. The Secure Site with EV Root bundle was downloaded to intermediate.crt
. When I first attempted to create the keystore file, I received the error below
openssl pkcs12 -export -chain -CAfile intermediate.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout pass:changeit\ Error unable to get issuer certificate getting chain.
Now the interesting thing about this error is that if you attempt a openssl verify
using both cert file and intermediate.crt
, it does not complain and gives the “OK” message. After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file.
cat intermediate.crt /etc/ssl/certs/ca-certificates.crt > allcacerts.crt openssl pkcs12 -export -chain -CAfile allcacerts.crt -in customercert.cer \ -inkey customercert.key -out customercert.keystore -name tomcat -passout \ pass:changeit
This successfully created the keystore file. You can look at the contents of the keystore by running
keytool -list -keystore customercert.keystore -storetype pkcs12 -v