Certificates 🔐

Preparing your CSR

A certificate configuration has to be prepared before building a signing request:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no

[ req_distinguished_name ]
countryName                = US                                         # C=
stateOrProvinceName        = Washington                                 # ST=
localityName               = Seattle                                    # L=
organizationName           = Chomat.us                                  # O=
organizationalUnitName     = platform@company.com                       # OU=
commonName                 = subdomain.domain.com                       # CU=
emailAddress               = platform@company.com                       # CN/emailAddress=

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = subdomain.domain.com
DNS.2   = subdomain-staging.domain.com
DNS.3   = subdomain-qa.domain.com

Generate a CSR (Certificate Signing Request):

openssl req -new -newkey rsa:2048 -nodes -keyout cert.pkey -out cert.csr -config csr.config

From there, you can submit your CSR to your certificate provider.

Keystore

  • Truststore contains public certificates you trust, often used as client to verify server.
  • Keystore contains your certificates and private keys, often used as server to prove its identity.

Replacing a certificate

  • List and delete entry from keystore
# Read a keystore
keytool -list -v -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PWD
 
# Once you cert found, you can delete based on the alias name
keytool -delete -alias $ALIAS_NAME -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PWD
  • Add a certificate to a keystore
keytool -import -alias $ALIAS_NAME -file $NEW_CERTIFICATE -keystore $KEYSTORE_FILE
  • Add a certificate chain / private keys to a keystore requires an extra step to not import only the server certificate but the entire chain and associated server private key
openssl pkcs12 -export -inkey cert.pkey -in signed_full_chain_cert.cer -name $ALIAS_NAME -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks