- With the following commands, you can create a CSR.
- Once signed, you can import the signed certificate and the private key in a JKS so that Java is able to use it.
- External tools needed: openssl (with configuration file located at /etc/pki/tls/openssl.cnf) and Java keytool
Please note that alternative names specify additional DNS addresses, and they must be prefixed with DNS:alt.fqd.com
# Create a key
DOMAIN=www.gugus.com
openssl req -nodes -sha256 -newkey rsa:2048 -keyout $DOMAIN.key -out $DOMAIN.csr \
-subj "/C=CH/ST=Zurich/L=Zurich/O=Company/CN=$DOMAIN" \
-reqexts SAN -extensions SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(echo -e "[SAN]\nsubjectAltName=DNS:$DOMAIN,DNS:www2.gugus.com"))
chmod 600 $DOMAIN.key
# Then, send the CSR to the CA (www.gugus.com.csr)
# Store signed certificate to: www.gugus.com.cert
openssl pkcs12 -export -out $DOMAIN.pkcs12 -inkey $DOMAIN.key -in $DOMAIN.cert
# When asked, enter a real password, e.g. "password"
/opt/adnjdk18/bin/keytool -importkeystore -srckeystore $DOMAIN.pkcs12 -srcstoretype pkcs12 -destkeystore $DOMAIN.jks -deststoretype jks -deststorepass changeit -srcstorepass password
keytool -changealias -keystore $DOMAIN.jks -storepass changeit -alias 1 -destalias tomcat -keypass password