![]() Generate a CSR based on the new keystore: Keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048Ģ. Pay close attention to the alias you specify in this command as it will be needed later on. Open a command prompt in the same directory as Java keytool alternatively, you may specify the full path of keytool in your command. Or, you can check the step by step guidelines below. You can watch the video below for a tutorial. This article covers the creation of a new Java keystore using Java keytool. certreq -keystore server.Java Keytool - Create Keystore Introduction Note: copy the -ext parameter value from the command that creates the SAN certificate. You are welcomed to send the CSR to your favorite CA. The command below will export the Certificate Signing Request (CSR) into myserver.csr file. The SubjectAltName field with all values: IP - List of IP addresses of your server.The command requires the following values for the SubjectAltName field (where applicable): ext command requires the following values for the Subject field: dname "CN=,O=myorganization,OU=myou,L=mylocation,ST=California,C=US" \ genkeypair -keyalg RSA -validity 395 -keysize 2048 -sigalg SHA256withRSA \ How to create the CSR for the SAN certificate Create the SAN certificateįirst create the SAN certificate with all values: keytool \ The command below export the public key to the file servercert.pem: openssl pkcs12 -in server.jks -nokeys -out servercert.pem You will need to provide the keystore password ( protected). The command below export the private key to the file serverkey.pem: openssl pkcs12 -in server.jks -nodes -nocerts -out serverkey.pem The Java keytool does not support export of a private key therefore we will need to use OpenSSL. #1: ObjectId: 2.5.29.17 Criticality=falseĬonfigure your webserver to use the certificate and you will be able to check the certificate in a browser.Įxport the certificate private and public keys The snippet below shows the partial output only with the Subject ( Owner below) and SubjectAltName ( SubjectAlternativeName below) fields. The command below will list certificates in the keystore: keytool -list -v -keystore server.jks -storepass protected keystore server.jks -storepass protected -deststoretype pkcs12 \ The command below will create a pkcs12 Java keystore server.jks with a self-signed SSL certificate: keytool \ Recommended to configure the following values (where applicable): The full list of supported values listed in RFC 5280. RFC 2818 recommends to use the SAN certificate instead of a regular SSL certificate :Īlthough the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. These values added to a SSL certificate via the subjectAltName field.Ī SSL certificate with SAN values usually called the SAN certificate. The specification allows to specify additional values for a SSL certificate. The Subject Alternative Name (SAN) is an extension the X.509 specification. Explaining how to create the Certificate Signing Request (CSR) for the SAN certificate using the Java keytool.Explaining how to export the certificate private and public keys using OpenSSL.Explaining how to create the SAN certificate using the Java keytool. ![]() ![]() We will learn how to generate the Subject Alternate Name (or SAN) certificate in a simple way. ![]()
0 Comments
Leave a Reply. |