LibraryToggle FramesPrintFeedback

You can download the OpenSSL utilities from

This section describes using the OpenSSL command-line utilities to create certificates. Further documentation of the OpenSSL command-line utilities can be obtained at

To create your own CA and certificates:

  1. Add the OpenSSL bin directory to your path.

  2. Create your own private CA.

    1. Create the directory structure for the CA.

      The directory structure should be:

      • X509CA/ca

      • X509CA/certs

      • X509CA/newcerts

      • X509CA/crl

      Where X509CA is the name of the CA's home directory.

    2. Copy the openssl.cnf file from your OpenSSL installation to your X509CA directory.

    3. Open your copy of openssl.cnf in a text editor.

    4. Edit the [CA_default] section to look like Example 2.1.


      You might decide to edit other details of the OpenSSL configuration at this point. For more details, see the OpenSSL documentation.

    5. Initialize the CA database as described in CA database files.

    6. Create a new self-signed CA certificate and private key with the command:

      openssl req -x509 -new -config X509CA/openssl.cnf -days 365 -out X509CA/ca/new_ca.pem -keyout X509CA/ca/new_ca_pk.pem

      You are prompted for a pass phrase for the CA private key and details of the CA distinguished name as shown in Example 2.2.


      The security of the CA depends on the security of the private key file and the private key pass phrase used in this step.

      You must ensure that the file names and location of the CA certificate and private key, new_ca.pem and new_ca_pk.pem, are the same as the values specified in openssl.cnf during Step 2.d.

  3. Create signed certificates in a Java keystore.

    1. Generate a certificate and private key pair using the keytool -genkeypair command.

      For details on the options to use when using keytool -genkeypair see Generate a certificate and private key pair.

    2. Create a certificate signing request using the keystore -certreq command.

      Example 2.3 creates a new certificate signing request for the fusesample.jks certificate and exports it to the fusesample_csr.pem file.

    3. Sign the CSR using the openssl ca command.

      You will prompted to enter the CA private key pass phrase you used when creating the CA in Step 2.f).

      See Signing a CSR for details on the options to use when signing the CSR.

    4. Convert the signed certificate to PEM only format using the openssl x509 command with the -outform option set to PEM.

      Example 2.4 converts the signed certificate fusesigned.pem.

    5. Concatenate the CA certificate file and the converted, signed certificate file to form a certificate chain.

      The CA certificate file is stored in the CA's ca directory. For example, the certificate file for the CA created in Step 2.f would be ca/new_ca.pem.

    6. Import the new certificate's full certificate chain into the Java keystore using the keytool -import command.

      Example 2.5 imports the chain fusesample.chain into the fusesample.jks keystore.

  4. Repeat Step 3 to create a full set of certificates for your system.

  5. Add trusted CAs to your Java trust store.

    1. Assemble the collection of trusted CA certificates that you want to deploy.

      The trusted CA certificates can be obtained from public CAs or private CAs. The trusted CA certificates can be in any format that is compatible with the Java keystore utility; for example, PEM format. All you need are the certificates themselves—the private keys and passwords are not required.

    2. Add a CA certificate to the trust store using the keytool -import command.

      Example 2.6 adds the CA certificate cacert.pem, in PEM format, to a JKS trust store.

      truststore.ts is a keystore file containing CA certificates. If this file does not already exist, the keytool command creates one. StorePass is the password required to access the keystore file.

    3. Repeat Step 5.b to add all of the CA certificates to the trust store.

To generate a certificate and private key pair you use the keytool -genkeypair command. For example, Example 2.7 creates a certificate and key pair that are valid for 365 days and is stored in the keystore file fusesample.jks. The generated key store entry will use the alias fuse and the password fusepass.

Because the specified keystore, fusessample.jks, did not exist prior to issuing the command implicitly creates a new keystore and sets its password to fusestorepass.

The -dname and -validity flags define the contents of the newly created X.509 certificate.

The -dname flag specifies the subject DN. For more details about DN format, see Appendix A. Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file). The default openssl.cnf file requires the following entries to match:

  • Country Name (C)

  • State or Province Name (ST)

  • Organization Name (O)


If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate (see Step 2.f ).

The -validity flag specifies the number of days for which the certificate is valid.

Comments powered by Disqus
loading table of contents...