Generate root CA private key:
openssl genrsa -des3 -out rootCA.key 2048
Create root CA certificate:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem
Generate private key:
openssl genrsa -des3 -out my-private.key 2048
Create certificate CSR from private key:
openssl req -new -sha256 -key my-private.key -out my-signature-request.csr
Sign certificate by root CA:
openssl x509 -req -in my-signature-request.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-certificate.pem -days 365 -sha256
Create keystore with certificate and private key:
openssl pkcs12 -export -in my-certificate.pem -inkey my-private.key -name my-certificate-alias > keystore.p12
Import one keystore into another:
keytool -importkeystore -srckeystore keystore2.p12 -destkeystore keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -alias my-certificate-alias
Create truststore with root CA
keytool -import -file rootCA.pem -alias rootCA -storetype pkcs12 -keystore truststore.p12
Create self signed certificate (without local rootCA)
openssl x509 -signkey my-private.key -in my-signature-request.csr -req -days 365 -out my-certificate.pem
Remove certificate from keystore
keytool -delete -alias my-certificate-alias -keystore keystore.p12
Import certificate into keystore
keytool -import -trustcacerts -alias my-certificate-alias -file my-certificate.pem -keystore keystore.p12
List keystore content
keytool -list -keystore keystore.p12
Add “-v” to list with details
Add “-alias certificate-alias-name” to view only requested certificate
View content of certificate pem file
openssl x509 -in my-certificate.pem -noout -text
View contents of CSR
openssl req -in my-signature-request.csr -noout -text
Export public key from keystore
keytool -exportcert -rfc -keystore keystore.p12 -alias my-certificate-alias -storetype PKCS12 -file exported-certificate.crt
Import certificate into existing keystore
keytool -importcert -file my-certificate.crt -keystore truststore.p12 -alias my-certificate-alias