Certificates 🔐
Preparing your CSR
A certificate configuration has to be prepared before building a signing request:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US # C=
stateOrProvinceName = Washington # ST=
localityName = Seattle # L=
organizationName = Chomat.us # O=
organizationalUnitName = [email protected] # OU=
commonName = subdomain.domain.com # CU=
emailAddress = [email protected] # CN/emailAddress=
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = subdomain.domain.com
DNS.2 = subdomain-staging.domain.com
DNS.3 = subdomain-qa.domain.comGenerate a CSR (Certificate Signing Request):
openssl req -new -newkey rsa:2048 -nodes -keyout cert.pkey -out cert.csr -config csr.configFrom there, you can submit your CSR to your certificate provider.
Keystore
- Truststore contains public certificates you trust, often used as client to verify server.
- Keystore contains your certificates and private keys, often used as server to prove its identity.
Replacing a certificate
- List and delete entry from keystore
# Read a keystore
keytool -list -v -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PWD
# Once you cert found, you can delete based on the alias name
keytool -delete -alias $ALIAS_NAME -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PWD- Add a certificate to a keystore
keytool -import -alias $ALIAS_NAME -file $NEW_CERTIFICATE -keystore $KEYSTORE_FILE- Add a certificate chain / private keys to a keystore requires an extra step to not import only the server certificate but the entire chain and associated server private key
openssl pkcs12 -export -inkey cert.pkey -in signed_full_chain_cert.cer -name $ALIAS_NAME -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jksLast updated on