Infrastructure at your Service

Middleware Team

PKI – SSL certificates management with Java keytool and OpenSSL


In this blog, we will cover all steps to enable SSL encryption for a particular server. The procedure described here applies mostly for Java based servers and applications, with usage of a keystore.

In the case the organization into which the certificate has to be deployed has its own PKI, usage of OpenSSL is not necessary. In this case Java keytool usage will be enough.

In the case you have to sign by yourself, server certificate with the Root CA key, and/or create your own Root certificate, then usage of OpenSSL is mandatory.

In real case, most of the times, servers have to be reachable from at least 2 DNS names. For instance, its short host name, and its FQND. The developed scenario will cover this situation as well.

Refer to “subjectAltName” certificate attribute documentation for more information.

It is recommended to use keytool application binary of the Java Runtime Environment used for the application execution. It is located under bin folder.

Consider “hostname” and “” as DNS aliases of the server.

Consider changing passwords (*****) and values of “CN”, “OU”, “O”, “L”, “S”, and “C” certificate attributes for both CA and server certificates.

Refer to keytool documentation for more information.


1 – Create keystore and certificate

keytool -genkeypair -keystore keystore.jks -dname “, OU=IT, O=Company, L=City, S=Country, C=CountryAcronym” -keypass ***** -storepass ***** -keyalg RSA -alias server -validity 731 -ext SAN=dns:hostname,  -ext KU=digitalSignature,keyEncipherment -ext EKU=serverAuth


2 – Create a certificate request for signature to the certification authority

keytool -certreq -keystore keystore.jks -keypass ***** -storepass ***** -alias server -file hostname.csr


3 -Server certificate signature

In the case your organization has its own PKI, just send the CSR and wait for the signed server certificate.

In the case you want to manage or create a new PKI, go to 3-1 section for Root CA certificate creation, and/or server certificate signature with OpenSSL.


4 – Import provided Root CA and signed certificate of the server from certification authority

–   Import of root CA:

keytool -import -alias cert1 -file root.pem -keystore keystore.jks -storepass *****

->> trust the certificate when prompted

–   Eventually import other mid-certificate in the chain (repeat and change alias for all intermediate certificates in the chain)

keytool -import -alias cert2 -file sub.pem -keystore keystore.jks -storepass *****

–   Finally import signed certificate

keytool -import -trustcacerts -alias server -file hostname.cer -keystore keystore.jks -storepass *****



Create Root CA and sign server certificate with OpenSSL

3-1 – Generate key for Root CA

openssl genpkey -algorithm RSA -out rootkey.pem -pkeyopt rsa_keygen_bits:4096


3-2 – Generate certificate CSR for Root CA self-signing

openssl req -new -key rootkey.pem -days 5480 -extensions v3_ca -batch -out root.csr -utf8 -subj ‘/C=CountryAcronym/O=Company Root CA/OU=IT/CN=Company Root CA


3-3 – Create an extension file (openssl.root.cnf) with following content

basicConstraints = critical, CA:TRUE

keyUsage = keyCertSign, cRLSign

subjectKeyIdentifier = hash


3-4 – Self sign Root CA certificate and append extensions

openssl x509 -req -sha256 -days 3650 -in root.csr -signkey rootkey.pem -set_serial 1 -extfile openssl.root.cnf -out root.pem


3-5 – Sign server certificate request with Root key

openssl  x509  -req  -CA root.pem -CAkey rootkey.pem -in hostname.csr -out hostname.cer -days 731  -CAcreateserial


3-6 –Trust Root CA certificate

Eventually import “root.pem” Root CA certificate to you browser’s CA and/or into your Java Runtime Environment lists.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Middleware Team
Middleware Team