Skip to main content


Become a Certified Authority

openssl genrsa -des3 -out myCA.key 2048

Create Root Certificate

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

Create Cert signed with the CA

openssl genrsa -out 2048

Create a certificate signing request

openssl req -new -key -out

Create a config file for the extenstion.

The file should have the following content:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = # Optionally, add an IP address (if the connection which you have planned requires it)

Create the signed certificate

The generated file is a crt file which is in PEM format.

openssl x509 -req -in -CA myCA.pem -CAkey myCA.key -CAcreateserial -out -days 825 -sha256 -extfile

Verifying a certificat key

openssl verify -CAfile myCA.pem -verify_hostname

Convert a Public and Private Key to pkcs12 format. (for tomcat)

openssl pkcs12 -export -in -inkey -out -name tomcat -chain -CAfile myCA.pem Remember the password you made up for this step.

Use a key pair with tomcat / java

Import a pkcs12 cert into the java keystore.

keytool -importkeystore -deststorepass changeme -destkeystore tomcat.keystore -srckeystore -srcstoretype PKCS12 -srcstorepass PASSWORD_FROM_LAST_STEP -alias tomcat

Use the keystore in tomcat

Copy the keystore onto the server for example to /opt/security/

Modify the SSL Section within the tomcat server.xml file.

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" keyAlias="tomcat"
keystoreFile="/opt/security/tomcat.keystore" keystorePass="changeme"
clientAuth="false" sslProtocol="TLS"/>