rem create root ca
openssl req -x509 -newkey rsa:2048 -keyout root.key -out root.crt -days 36500 -subj "/C=US/ST=CA/O=Root CA, Inc." -nodes
rem create intermediate cert
openssl genrsa -out ca.key 2048
openssl req -new -sha256 -nodes -key ca.key -subj "/C=US/ST=CA/O=Intermediate CA, Inc./CN=my.ca.com" -out ca.csr
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -CAcreateserial -out ca.crt -days 500 -sha256 -extfile caext.txt
rem create server cert
openssl genrsa -out server.key 2048
openssl req -new -sha256 -nodes -key server.key -subj "/C=US/ST=CA/O=Daniel's, Inc./CN=my.server.com" -out server.csr -addext "basicConstraints=CA:false"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
rem create keystore
openssl pkcs12 -export -in server.crt -inkey server.key -out keystore.p12 -certfile ca.crt -name server -password pass:changeit
rem convert to jks if required
keytool -importkeystore -srcstorepass changeit -deststorepass changeit -destkeystore KeyStore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias server
Create a text file caext.txt with the following content:
basicConstraints=critical, CA:true, pathlen:0
If you want to connect a Java client to that server, you also need a trust store. The following line will create one:
keytool -import -noprompt -alias 1 -keystore rootca.jks -file root.crt -storepass changeit
The extensions file is necessary; without it the intermediate CA certificate will be v1, and Java works only with v3 CA certificates.