Wednesday, July 25, 2007

How to create Custom CA and Certificates for SSL using Open SSL

Step 1. Go to and download the binary.

Step 2. Create directories to hold your CA keys, your server keys and, ifyou want to use SSL client authentication, your client keys. For the sakeof argument let's assume that these directories are called "ssl/ca","ssl/server" and "ssl/client".

Step 3. Create a private key and certificate request for your own CA:openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyoutssl/ca/ca.key

Step 4. Create your CA's self-signed certificate (note lasts one year -increase the days setting to whatever you want):openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -inssl/ca/ca.csr -out ssl/ca/ca.pemWINDOWS USERS:If you copy the ca.pem file to ca.crt and edit the file sothat the strings "TRUSTED CERTIFICATE" read "CERTIFICATE", you can importyour CA certificate into your trusted root certificates store.

Step 5. Import the CA certificate into the JDK certificate authoritieskeystore:keytool -import -keystore $JAVA_JOME/jre/lib/security/cacerts -filessl/ca/ca.pem -alias my_caWindows users need to replace $JAVA_HOME with %JAVA_HOME%.

Step 6. Create a file to hold your CA's serial numbers. This file startswith the number "2":echo "02" > ssl/ca/

Step 7. Create a keystore for your web server.keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystoressl/server/server.ks -storetype JKS

Step 8. Create a certificate request for your web server.keytool -certreq -keyalg RSA -alias tomcat -filessl/server/server.csr -keystore ssl/server/server.ksYou need to edit the certificate request file slightly. Open it up in atext editor and amend the text which reads "NEW CERTIFICATE REQUEST" to"CERTIFICATE REQUEST"

Step 9. Have your CA sign your certificate request:openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserialssl/ca/ -req -in ssl/server/server.csr -outssl/server/server.crt -days 365

Step 10. Import your signed server certificate into your server keystore:keytool -import -alias tomcat -keystoressl/server/server.ks -trustcacerts -file ssl/server/server.crtYou should see a message "Certificate reply was installed in keystore".

Step 11. Import your CA certificate into your server keystore:keytool -import -alias my_ca -keystoressl/server/server.ks -trustcacerts -file ssl/ca/ca.pemThis step is only necessary if you wish to use SSL client authenticationwith Tomcat.

Step 12. Set up an SSL connector for Tomcat. I assume that you know, or canfind out, how to do this. Open up conf/server.xml in a text editor andsearch for the text "keystoreFile". Ensure that the attribute value is thekeystore you've created above.


Step 13. Create a client certificate request:openssl req -new -newkey rsa:512 -nodes -out ssl/client/client1.req -keyoutssl/client/client1.keyThe common name of the client must match a user in Tomcat's user realm ( entry in conf/tomcat-users.xml).

Step 14. Have your CA sign your client certificate.openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserialssl/ca/ -req -in ssl/client/client1.req -outssl/client/client1.pem -days 365

Step 15. Generate a PKCS12 file containing your server key and servercertificate.openssl pkcs12 -export -clcerts -in ssl/client/client1.pem -inkeyssl/client/client1.key -out ssl/client/client1.p12 -name"my_client_certificate"

Step 16. Import the PKCS12 file into your web browser to use as your clientcertificate and key.Repeat steps 13-16 as often as required.

Step 17. Enable client certificate authentication in Tomcat. Open upconf/server.xml and search for the text "clientAuth". Set the value of theattribute to "true".


Anonymous said...

hey! i'm going to cali this weekend and won't be back until is the website i was talking about where i made extra summer cash. Later! the website is here

namrataghadi said...


Great post!!
However, I would like to mention that the order of importing the certificates in server keystore should be :
First the CA's certificate and then the server's signed certificate. Else keytool throws an exception:
java.lang.exception: Failed to establish chain from the reply.


Michele said...
This comment has been removed by the author.
Michele said...

Great post! thanks a lot! very usefull.
namrataghadi is right, the two operation have to be switched
I add some useful info if u want to invoke a web service using ssl with client authentication.
Create a keystore for the client certificate as you have done here for the server keystore and add before the invoke operation the following properties