Generating a self-signed SSL certififcate

One of the tasks every software developer needs to tackle periodically is generating a self-signed SSL certificate in one form or another for the purpose of testing SSL-secured software systems. Here is an easy method to generate a self-signed cert on the CLI.

$ openssl genrsa -out privatekey.pem 2048

$ openssl req -new -key privatekey.pem -out signingrequest.cer

$ openssl x509 -req -days 3650 -in signingrequest.cer -signkey privatekey.pem -out certificate.pem


View the generated certificate:

$ openssl x509 -text -noout -in certificate.pem   


For Java server applications, you need to convert the key into the keystore format. Convert the certificate to a PKCS12 format.

openssl pkcs12 -export -in certificate.pem -inkey privatekey.pem -out certificate.p12 -name <hostname>

where <hostname> is the common name of the certificate.

Pick a password for the export, you'll need it in a second.

Import the PKCS12 cert into a keystore:

keytool -importkeystore -deststorepass <makeapass> -destkeypass <keypassword> -destkeystore keystore.jks -srckeystore certificate.p12 /
 -srcstoretype PKCS12 -srcstorepass <password> -alias <hostname>

Create a keystore password in place of <makeapass>. For <keypassword>, use the password of the original certificate. For <password>, use the password you just specified for the export.

Now you have a self-signed certificate in two useful formats for server applications.