how to use openssl and keytool for SSL(Secure Sockey Layer)

  • KM01726805
  • 06-Jul-2015
  • 19-Oct-2015


this is sample commands for generating SSL(Secure Socket Layer) files by openssl and keytool.


OpenSSL is an open-source implementation of the SSL and TLS protocols.

KeyTool is java based Key and Certification Management Tool, which manages a keystore(database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

This document shows its sample commands and help.


1. openssl command help
 - openssl - command
 - Standard commands
   asn1parse         ca                ciphers           cms              
   crl               crl2pkcs7         dgst              dh               
   dhparam           dsa               dsaparam **       ec               
   ecparam           enc               engine            errstr           
   gendh             gendsa **         genpkey           genrsa **          
   nseq              ocsp              passwd            pkcs12           
   pkcs7             pkcs8             pkey              pkeyparam        
   pkeyutl           prime             rand              req              
   rsa **            rsautl            s_client          s_server         
   s_time            sess_id           smime             speed            
   spkac             ts                verify            version          
   Message Digest commands (see the `dgst' command for more details)
   md2               md4               md5               rmd160           
   sha               sha1             
   Cipher commands (see the `enc' command for more details)
   aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb      
   aes-256-cbc       aes-256-ecb       base64            bf               
   bf-cbc            bf-cfb            bf-ecb            bf-ofb           
   camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb 
   camellia-256-cbc  camellia-256-ecb  cast              cast-cbc         
   cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb        
   des               des-cbc           des-cfb           des-ecb          
   des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb      
   des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb     
   des-ofb           des3              desx              idea             
   idea-cbc          idea-cfb          idea-ecb          idea-ofb         
   rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc          
   rc2-cfb           rc2-ecb           rc2-ofb           rc4              
   rc4-40            seed              seed-cbc          seed-cfb         
   seed-ecb          seed-ofb          zlib    

2. keytool command help
 - keytool - command
 - Standard commands
   -certreq            Generates a certificate request
   -changealias        Changes an entry's alias
   -delete             Deletes an entry
   -exportcert         Exports certificate
   -genkeypair         Generates a key pair
   -genseckey          Generates a secret key
   -gencert            Generates certificate from a certificate request
   -importcert         Imports a certificate or a certificate chain
   -importkeystore     Imports one or all entries from another keystore
   -keypasswd          Changes the key password of an entry
   -list               Lists entries in a keystore
   -printcert          Prints the content of a certificate
   -printcertreq       Prints the content of a certificate request
   -printcrl           Prints the content of a CRL file
   -storepasswd        Changes the store password of a keystore

3. sample commands 
 1) environmental variables under windows
set OPENSSL=openssl
set JAVA_HOME="C:\Program Files\Java\jdk1.7.0_40\jre"
set KEYTOOL=%JAVA_HOME%\bin\keytool

set CAROOT_PASSWD=changeit
set CACERT_PASSWD=changeit

set HOST_PASSWD=changeit

 2) Create private key for CA
%OPENSSL% genrsa -des3 -passout pass:%CAROOT_PASSWD% -out root/private.key 2048

 3) Create Self-Signed Certificate for CA
%OPENSSL% req -new  -key root/private.key ^
              -x509 -days 1095 ^
              -out root/rootcert.pem ^
              -subj / ^
              -config ./openssl.conf ^
              -passin pass:%CAROOT_PASSWD%

 4) Import certificate into System-wide keystore, cacerts
copy %JAVA_HOME%\lib\security\cacerts %JAVA_HOME%\lib\security\cacerts.orig
#copy %JAVA_HOME%\lib\security\cacerts root\cacerts

%KEYTOOL% -import -trustcacerts -alias %CAROOT_ALIAS% -noprompt ^
                      -file root/rootcert.pem ^
                      -storepass %CACERT_PASSWD% ^
                      -keystore root/cacerts
copy root\cacerts root\trustedclients.keystore 
copy root\cacerts %JAVA_HOME%\lib\security

 5) Create private key for a host
@mkdir %HOST_FQDN%
%OPENSSL% genrsa -des3 -passout pass:%HOST_PASSWD% ^
                 -out %HOST_FQDN%/private.key 2048

# Generate Certificate Signing Request(CSR)
%OPENSSL% req -new -config openssl.conf ^
              -passin pass:%HOST_PASSWD% ^
              -key %HOST_FQDN%/private.key ^
              -passout pass:%HOST_PASSWD% ^
              -subj /CN=%HOST_FQDN% ^
              -out %HOST_FQDN%/%HOST_FQDN%.csr

 6) Sign CSR
%OPENSSL% x509 -req -days 1095 ^
               -passin pass:%CAROOT_PASSWD% ^
               -in %HOST_FQDN%/%HOST_FQDN%.csr ^
               -CA root/rootcert.pem ^
               -CAkey root/private.key ^
               -CAcreateserial ^
               -out %HOST_FQDN%/%HOST_FQDN%.pem

 7) Import privatekey into keystore
%OPENSSL% pkcs12 -export -passin pass:%HOST_PASSWD% -passout pass:%HOST_PASSWD% ^
                 -name %HOST_ALIAS% ^
                 -inkey %HOST_FQDN%/private.key ^
                 -in %HOST_FQDN%/%HOST_FQDN%.pem ^
                 -out %HOST_FQDN%/%HOST_FQDN%.p12
%keytool% -importkeystore ^
          -srcstorepass %HOST_PASSWD% -deststorepass %HOST_PASSWD% -srcstoretype PKCS12 ^
          -srckeystore %HOST_FQDN%/%HOST_FQDN%.p12 ^
          -destkeystore %HOST_FQDN%/%HOST_FQDN%.keystore

 8) Export publickey from keystore
%KEYTOOL% -exportcert -storepass %HOST_PASSWD% -alias %HOST_FQDN% ^
                      -keystore %HOST_FQDN%/%HOST_FQDN%.keystore ^
                      -file %HOST_FQDN%/%HOST_FQDN%.pubkey
 9) Import publickey into trustestore
%KEYTOOL% -delete -alias %HOST_ALIAS% ^
                  -storepass %TRUSTEDCLIENTS_KEYSTORE_PASSWD% -keystore root/trustedclients.keystore

%KEYTOOL% -importcert -alias %HOST_ALIAS%  -noprompt ^
                  -file %HOST_FQDN%/%HOST_FQDN%.pubkey ^
                  -storepass %TRUSTEDCLIENTS_KEYSTORE_PASSWD% -keystore root/trustedclients.keystore

 10) Change keystore's password for Propel purpose
set PROPEL_PASSWD=propel2014

copy root\trustedclients.keystore %PROPEL_FQDN%\propel.truststore

%KEYTOOL% -storepasswd  -new %PROPEL_PASSWD% ^
          -keystore %PROPEL_FQDN%\propel.truststore

 - openssl cookbook