• With the following commands, you can create a CSR.
  • Once signed, you can import the signed certificate and the private key in a JKS so that Java is able to use it.
  • External tools needed: openssl (with configuration file located at /etc/pki/tls/openssl.cnf) and Java keytool

Please note that alternative names specify additional DNS addresses, and they must be prefixed with DNS:alt.fqd.com


# Create a key
  openssl req -nodes -sha256 -newkey rsa:2048 -keyout $DOMAIN.key -out $DOMAIN.csr \
    -subj "/C=CH/ST=Zurich/L=Zurich/O=Company/CN=$DOMAIN" \
    -reqexts SAN -extensions SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
    <(echo -e "[SAN]\nsubjectAltName=DNS:$DOMAIN,DNS:www2.gugus.com"))
  chmod 600 $DOMAIN.key

# Then, send the CSR to the CA (www.gugus.com.csr)
# Store signed certificate to: www.gugus.com.cert

  openssl pkcs12 -export -out $DOMAIN.pkcs12 -inkey $DOMAIN.key -in $DOMAIN.cert
# When asked, enter a real password, e.g. "password"

  /opt/adnjdk18/bin/keytool -importkeystore -srckeystore $DOMAIN.pkcs12 -srcstoretype pkcs12 -destkeystore $DOMAIN.jks  -deststoretype jks -deststorepass changeit -srcstorepass password

  keytool -changealias -keystore $DOMAIN.jks -storepass changeit -alias 1 -destalias tomcat -keypass password