13.2.4. Generate a SSL Encryption Key and Certificate

To use a SSL-encrypted HTTP connection (HTTPS), as well as other types of SSL-encrypted communication, you need a signed encryption certificate. You can purchase a certificate from a Certificate Authority (CA), or you can use a self-signed certificate. Self-signed certificates are not considered trustworthy by many third parties, but are appropriate for internal testing purposes.

This procedure enables you to create a self-signed certificate using utilities which are available on Red Hat Enterprise Linux.

Prerequisites

You need the keytool utility, which is provided by any Java Development Kit implementation. OpenJDK on Red Hat Enterprise Linux installs this command to /usr/bin/keytool.
Understand the syntax and parameters of the keytool command. This procedure uses extremely generic instructions, because further discussion of the specifics of SSL certificates or the keytool command are out of scope for this documentation.

Procedure 13.2. Task

Generate a keystore with public and private keys.

Run the following command to generate a keystore named server.keystore with the alias jboss in your current directory.

keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore -storepass mykeystorepass --dname "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,S=NC,C=US"

The following table describes the parameters used in the keytool command:

Parameter	Description
`-genkey`	The `keytool` command to generate a key pair containing a public and private key.
`-alias`	The alias for the keystore. This value is arbitrary, but the alias `jboss` is the default used by the JBoss Web server.
`-keyalg`	The key pair generation algorithm. In this case it is `RSA`.
`-keystore`	The name and location of the keystore file. The default location is the current directory. The name you choose is arbitrary. In this case, the file will be named `server.keystore`.
`-storepass`	This password is used to authenticate to the keystore so that the key can be read. The password must be at least 6 characters long and must be provided when the keystore is accessed. In this case, we used `mykeystorepass`. If you omit this parameter, you will be prompted to enter it when you execute the command.
`-keypass`	This is the password for the actual key. Note Due to an implementation limitation this must be the same as the store password.
`--dname`	A quoted string describing the distinguished name for the key, for example: "CN=jsmith,OU=Engineering,O=mycompany.com,L=Raleigh,C=US". This string is a concatenation of the following components: `CN` - The common name or host name. If the hostname is "jsmith.mycompany.com", the `CN` is "jsmith". `OU` - The organizational unit, for example "Engineering" `O` - The organization name, for example "mycompany.com". `L` - The locality, for example "Raleigh" or "London" `S` - The state or province, for example "NC". This parameter is optional. `C` - The 2 letter country code, for example "US" or "UK",

When you execute the above command, you are prompted for the following information:

If you did not use the -storepass parameter on the command line, you are asked to enter the keystore password. Re-enter the new password at the next prompt.
If you did not use the -keypass parameter on the command line, you are asked to enter the key password. Press Enter to set this to the same value as the keystore password.

When the command completes, the file server.keystore now contains the single key with the alias jboss.

Verify the key.
Verify that the key works propertly by using the following command.
```
keytool -list -keystore server.keystore
```
You are prompted for the keystore password. The contents of the keystore are displayed (in this case, a single key called jboss). Notice the type of the jboss key, which is keyEntry. This indicates that the keystore contains both a public and private entry for this key.
Generate a certificate signing request.
Run the following command to generate a certificate signing request using the public key from the keystore you created in step 1.
```
keytool -certreq -keyalg RSA -alias jboss -keystore server.keystore -file certreq.csr
```
You are prompted for the password in order to authenticate to the keystore. The keytool command then creates a new certificate signing request called certreq.csr in the current working directory.
Test the newly generated certificate.
Test the contents of the certificate by using the following command.
```
openssl req -in certreq.csr -noout -text
```
The certificate details are shown.
Optional: Submit your certificate to a Certificate Authority (CA).
A Certificate Authority (CA) can authenticate your certificate so that it is considered trustworthy by third-party clients. The CA supplies you with a signed certificate, and optionally with one or more intermediate certificates.
Optional: Export a self-signed certificate from the keystore.
If you only need it for testing or internal purposes, you can use a self-signed certificate. You can export one from the keystore you created in step 1 as follows:
```
keytool -export -alias jboss -keystore server.keystore -file server.crt
```
You are prompted for the password in order to authenticate to the keystore. A self-signed certificate, named server.crt, is created in the current working directory.
Import the signed certificate, along with any intermediate certificates.
Import each certificate, in the order that you are instructed by the CA. For each certificate to import, replace intermediate.ca or server.crt with the actual file name. If your certificates are not provided as separate files, create a separate file for each certificate, and paste its contents into the file.
Note
Your signed certificate and certificate keys are valuable assets. Be cautious with how you transport them between servers.
```
keytool -import -keystore server.keystore -alias intermediateCA -file intermediate.ca
```
```
keytool -import -alias jboss -keystore server.keystore -file server.crt
```
Test that your certificates imported successfully.
Run the following command, and enter the keystore password when prompted. The contents of your keystore are displayed, and the certificates are part of the list.
```
keytool -list -keystore server.keystore
```

Result

Your signed certificate is now included in your keystore and is ready to be used to encrypt SSL connections, including HTTPS web server communications.

Report a bug

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

13.2.4. Generate a SSL Encryption Key and Certificate

Where did the comment section go?