Generating self-signed certificates
The process of creating a self-signed certificate is straightforward because a self-signed certificate claims itself as its own issuer.
Although self-signed certificates are convenient for testing environments, clients do not trust them by default. Consequently, you should not use them as listener certificates in production environments.
The manage-certificates
tool offers a generate-self-signed-certificate
subcommand that can create a self-signed certificate. In addition to the arguments that provide information about the keystore, certificate alias, and optional private key password, the following arguments are available.
Argument | Description | ||
---|---|---|---|
|
Subject DN for the certificate to create. This value is required. |
||
|
Number of days that the certificate remains valid. Defaults to |
||
|
Indicates the time at which the certificate begins its validity window. This value is assumed to reflect the local time zone, and must be expressed in the form Defaults to the current time if no value is specified. |
||
|
Name of the algorithm to use when generating the key pair. For a listener certificate, this value is typically Defaults to
|
||
|
Length of the key, in bits, to generate. If the
|
||
|
Name of the algorithm to use to sign the certificate. If the If the Typical signature algorithms include |
||
|
Uses the new certificate to replace an existing certificate in the key store (within the same alias), and reuses the key for that certificate. |
||
|
Indicates that, when replacing an existing certificate, the new certificate contains the same set of extensions as the existing certificate. If the |
||
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided DNS name. The given name must be fully qualified, although it can contain an asterisk ( To include multiple DNS names in the subject alternative name extension, specify the |
||
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided IP address. The given address must be a valid IPv4 or IPv6 address. No wildcards are allowed. To include multiple IP addresses in the subject alternative name extension, specify the |
||
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided email address. To include multiple email addresses in the subject alternative name extension, specify the |
||
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided URI. To include multiple URIs in the subject alternative name extension, specify the |
||
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided object identifier (OID). The given value must be a valid OID. To include multiple OIDs in the subject alternative name extension, specify the |
||
|
Indicates that the certificate is expected to have a basic constraints extension, with a specified value of
|
||
|
Indicates that the basic constraints extension is expected to include a path length constraint element with the specified value. Use this argument only if A path length constraint value of A value greater than |
||
|
Indicates that the certificate is expected to have a key usage extension with the specified value. The following values are allowed:
To include multiple key usages, specify the |
||
|
Indicates that the certificate is expected to have an extended key usage extension with the specified value. The following values are allowed:
|
Example
For example, the following command can be used to generate a self-signed server certificate.
bin/manage-certificates generate-self-signed-certificate \ --keystore config/keystore \ --keystore-password-file config/keystore.pin \ --keystore-type JKS \ --alias server-cert \ --subject-dn "CN=ds.example.com,O=Example Corp,C=US" \ --key-algorithm EC \ --key-length-bits 256 \ --signature-algorithm SHA256withECDSA \ --subject-alternative-name-dns ds.example.com \ --subject-alternative-name-dns ds1.example.com \ --subject-alternative-name-dns localhost \ --subject-alternative-name-ip-address 1.2.3.4 \ --subject-alternative-name-ip-address 127.0.0.1 \ --subject-alternative-name-ip-address 0:0:0:0:0:0:0:1 \ --key-usage digital-signature \ --key-usage key-encipherment \ --key-usage key-agreement \ --extended-key-usage server-auth \ --extended-key-usage client-auth Successfully created a new JKS keystore. Successfully generated the following self-signed certificate: Subject DN: CN=ds.example.com,O=Example Corp,C=US Issuer DN: CN=ds.example.com,O=Example Corp,C=US Validity Start Time: Monday, January 27, 2020 at 03:40:13 PM CST (0 seconds ago) Validity End Time: Tuesday, January 26, 2021 at 03:40:13 PM CST (364 days, 23 hours, 59 minutes, 59 seconds from now) Validity State: The certificate is currently within the validity window. Signature Algorithm: SHA-256 with ECDSA Public Key Algorithm: EC (secP256r1) SHA-1 Fingerprint: 4f:41:82:7f:08:e9:d8:05:8c:19:8b:3e:5b:bc:59:98:d3:15:71:3a SHA-256 Fingerprint: 76:e6:8e:c5:c8:8d:27:ce:2b:85:b9:8c:9d:49:3c:06:f4:40:f1:d0:70:67:39:24:fc: 31:bc:f8:51:83:f2:42