Generating a server certificate from a certificate authority
For clients to verify a server's identitiy, the certificate authority (CA) must issue a signed server certificate to the server.
About this task
openssl
commands. However,
you can complete these steps using a different key management tool of your
choice.Procedure
-
Create a certificate signing request (CSR) and private key file using
openssl
. For example:openssl req -newkey rsa:4096 -out request.csr -keyout key.pem -nodes -sha256
Theopenssl
command prompts you for additional information to include in the CSR. For information on how to change algorithms, keystrength, extended attributes, and so forth, see the openssl documentation or use the commandopenssl req -help
. - Submit the CSR to the CA to generate a certificate. Each CA has its own method for completing this step.
-
Combine the private key, the CA-provided certificate file
(certificate.crt), and any CA roots/intermediaries
(CA.crt) into one key store in PKCS12 format:
For example:
openssl pkcs12 -export -out mykeystore.p12 -inkey key.pem -in mycert.crt -certfile CA.crt
-
Validate the PKCS12 file:
openssl pkcs12 -in mykeystore.p12 -noout -info