- Steps to generate self-signed PKCS#12 SSL certificate and export its keys:
-
Create PKCS#12 keystore (.p12 or .pfx file)
keytool -genkeypair -keystore myKeystore.p12 -storetype PKCS12 -storepass MY_PASSWORD -alias KEYSTORE_ENTRY -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=My SSL Certificate, OU=My Team, O=My Company, L=My City, ST=My State, C=SA" -ext san=dns:mydomain.com,dns:localhost,ip:127.0.0.1
- myKeystore.p12 -> keystore filename. It can with .pfx extension as well.
- MY_PASSWORD -> password used for the keystore and the private key as well.
- CN -> commonName, it will be shown as certiciate name in certificates list.
- OU -> organizationUnit, department name for example.
- O -> organizationName, the company name.
- L -> localityName, the city.
- S -> stateName, the state.
- C -> country, the 2-letters code of the country.
Note: Import myKeystore.p12 into browsers to trust it. Add it to "Trusted Root Certification Authorities" certificate store. Use the password MY_PASSWORD.
Note: This step can be done using openssl but it's more complicated.
- Create the public certificate (has the header
-----BEGIN CERTIFICATE-----):
Using keytool:
keytool -exportcert -keystore myKeystore.p12 -storepass MY_PASSWORD -alias KEYSTORE_ENTRY -rfc -file public-certificate.pem
Or using openssl:
openssl pkcs12 -in myKeystore.p12 -password pass:MY_PASSWORD -nokeys -out public-certificate.pem
-
Export the private key (has the header
-----BEGIN PRIVATE KEY-----):openssl pkcs12 -in myKeystore.p12 -password pass:MY_PASSWORD -nodes -nocerts -out private-key.pem
-
Export the public key from the private key (has the header
-----BEGIN PUBLIC KEY-----):openssl rsa -in private-key.pem -pubout > public-key.pub