Monday, April 29, 2019

Creating a test certificate chain with openSSL

To create a certificate chain (starting from root CA with one intermediate CA) for use in a Java SSL server, create a batch file with the following:

rem create root ca
openssl req -x509 -newkey rsa:2048 -keyout root.key -out root.crt -days 36500 -subj "/C=US/ST=CA/O=Root CA, Inc." -nodes

rem create intermediate cert
openssl genrsa -out ca.key 2048
openssl req -new -sha256 -nodes -key ca.key -subj "/C=US/ST=CA/O=Intermediate CA, Inc./CN=my.ca.com" -out ca.csr
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -CAcreateserial -out ca.crt -days 500 -sha256 -extfile caext.txt

rem create server cert
openssl genrsa -out server.key 2048
openssl req -new -sha256 -nodes -key server.key -subj "/C=US/ST=CA/O=Daniel's, Inc./CN=my.server.com" -out server.csr -addext "basicConstraints=CA:false"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

rem create keystore
openssl pkcs12 -export -in server.crt -inkey server.key -out keystore.p12 -certfile ca.crt -name server -password pass:changeit

rem convert to jks if required
keytool -importkeystore -srcstorepass changeit -deststorepass changeit -destkeystore KeyStore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias server

Create a text file caext.txt with the following content:

basicConstraints=critical, CA:true, pathlen:0

If you want to connect a Java client to that server, you also need a trust store. The following line will create one:

keytool -import -noprompt -alias 1 -keystore rootca.jks -file root.crt -storepass changeit


The extensions file is necessary; without it the intermediate CA certificate will be v1, and Java works only with v3 CA certificates.