Certificates, JKS, public and private keys, PEMs

Additional Resources

Generate public and private keys

# Generate a private key
openssl genrsa -out ./private.pem 2048

# Generate a public key from a private key
openssl rsa -pubout -in private.pem -out ./public.pem

# Get the fingerprint from the private key
openssl rsa -pubout -outform DER -in private.pem  | openssl md5 -c

Create client JKS from pem files

Given cert.pem, intermediate.pem, and key.pem


# Create the Client Keystore
cat cert.pem intermediate.pem > chain.crt
openssl pkcs12 -export -inkey key.pem -in chain.crt -out key.p12 -name client -passin pass:"$in_pass" -passout pass:changeit
rm -f client.jks
keytool -importkeystore -destkeystore client.jks -deststoretype jks -srckeystore key.p12 -srcstoretype pkcs12 -srcstorepass changeit -deststorepass changeit

# Create the common Trust Keystore
rm -f trust.jks
keytool -import -noprompt -trustcacerts -alias trust -file intermediate.pem -keystore trust.jks -srcstorepass "$in_pass" -deststorepass changeit

# Remove the .p12 files
find . -name "*.p12" -type f -delete

Remove a passphrase from a private key

openssl rsa -in key.pem -out key.pem.removed
rm key.pem
mv key.pem.removed key.pem

Generate self signed certs for MTLS and create a java keystore out of them.

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=US/ST=WA/L=Seattle/O=Org/OU=Ronnie/CN=$HOSTNAME"
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=WA/L=Seattle/O=Org/OU=Ronnie/CN=$HOSTNAME"
# We're self signing our own server cert here.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=WA/L=Seattle/O=Org/OU=Ronnie/CN=$HOSTNAME"
# Sign the client certificate with our CA cert.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# Creating server store
openssl pkcs12 -export -inkey server.key -in server.crt -out server.p12 -name server -passin pass:"$in_pass" -passout pass:"$export_pass"
rm -f server.jks
keytool -importkeystore -destkeystore server.jks -deststoretype jks -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass "$export_pass" -deststorepass "$export_pass"
# Create the client Keystore
cat client.crt ca.crt > client-chain.crt
openssl pkcs12 -export -inkey client.key -in client-chain.crt -out client.p12 -name client -passin pass:"$in_pass" -passout pass:"$export_pass"
rm -f client.jks
keytool -importkeystore -destkeystore client.jks -deststoretype jks -srckeystore client.p12 -srcstoretype pkcs12 -srcstorepass "$export_pass" -deststorepass "$export_pass"
# Create client trust store
rm -f trust.jks
keytool -import -noprompt -trustcacerts -alias trust -file ca.crt -keystore trust.jks -srcstorepass "$in_pass" -deststorepass "$export_pass"
# Remove files that are not needed
find . -name "*.p12" -type f -delete
find . -name "*.csr" -type f -delete
find . -name "*chain.crt" -type f -delete
# This produces...
# ca.crt
# ca.key
# client.crt
# client.jks
# client.key
# server.crt
# server.jks
# server.key
# trust.jks

Configure nginx with SSL certs

Given cert.pem, key.pem, and intermediate.pem from above or generate new ones

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

The files given to us will map to NGINX like so:

ssl_certificate     = cert.pem + intermediate.pem
ssl_certificate_key = key.pem
server {
  listen 443 http2;
  ssl on;
  ssl_certificate      cert.pem;
  ssl_certificate_key  key.pem;

ssl_certificate is the only interesting one. To create it, just do: cat cert.pem intermediate.pem > ssl.crt

Check certificate expiration dates and info

openssl s_client -showcerts -connect google.com:443 | openssl x509 -text
openssl s_client -showcerts -connect google.com:443 -servername google.com