The process of creating a self-signed certificate is straightforward because a self-signed certificate claims itself as its own issuer.
Although self-signed certificates are convenient for testing environments, clients do not trust them by default. Consequently, you should not use them as listener certificates in production environments.
The manage-certificates tool offers a generate-self-signed-certificate subcommand that can create a self-signed certificate. In addition to the arguments that provide information about the keystore, certificate alias, and optional private key password, the following arguments are available.
Argument | Description |
---|---|
|
Subject DN for the certificate to create. This value is required. |
|
Number of days that the certificate remains valid. Defaults to 365 if no value is specified. |
|
Indicates the time at which the certificate begins its validity window. This value is assumed to reflect the local time zone, and must be expressed in the form YYYYMMDDhhmmss, where a value of 20190102030405 indicates January 2, 2019, at 3:04:05 AM. Defaults to the current time if no value is specified. |
|
Name of the algorithm to use when generating the key pair. For a listener certificate, this value is typically RSA or EC. Defaults to RSA if no value is specified. Note:
This argument cannot be used in conjunction with the
|
|
Length of the key, in bits, to generate. If the
|
|
Name of the algorithm to use to sign the certificate. If the
If the Typical signature algorithms include
SHA256withRSA for certificates with RSA
keys, and SHA256withECDSA for certificates
with elliptic curve keys. If a default key algorithm is used but
the |
|
Uses the new certificate to replace an existing certificate in the key store (within the same alias), and reuses the key for that certificate. |
|
Indicates that, when replacing an existing certificate, the new
certificate contains the same set of extensions as the existing
certificate. If the
|
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided DNS name. The given name must be fully qualified, although it can contain an asterisk (*) as a wildcard in the leftmost component. To include multiple DNS names in the subject alternative name
extension, specify the |
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided IP address. The given address must be a valid IPv4 or IPv6 address. No wildcards are allowed. To include multiple IP addresses in the subject alternative name
extension, specify the
|
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided email address. To include multiple email addresses in the subject alternative
name extension, specify the
|
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided URI. To include multiple URIs in the subject alternative name
extension, specify the |
|
Indicates that the certificate is expected to have a subject alternative name extension with the provided object identifier (OID). The given value must be a valid OID. To include multiple OIDs in the subject alternative name
extension, specify the |
|
Indicates that the certificate is expected to have a basic constraints extension, with a specified value of true or false, for the flag indicating whether to consider the certificate a certification authority that can be used to sign other certificates.
|
|
Indicates that the basic constraints extension is expected to
include a path length constraint element with the specified
value. Use this argument only if
A path length constraint value of 0 indicates that the certificate can be used to issue only end-entity certificates. A path length constraint value of 1 indicates that the certificate can be used to sign end-entity certificates or intermediate CA certificates, the latter of which can be used to sign only end-entity certificates. A value greater than 1 indicates the presence of several intermediate CA certificates between it and the end-entity certificate at the head of the chain. |
|
Indicates that the certificate is expected to have a key usage extension with the specified value. The following values are allowed:
To include multiple key usages, specify the |
|
Indicates that the certificate is expected to have an extended key usage extension with the specified value. The following values are allowed:
|
For example, the following command can be used to generate a self-signed server certificate.
bin/manage-certificates generate-self-signed-certificate \
--keystore config/keystore \
--keystore-password-file config/keystore.pin \
--keystore-type JKS \
--alias server-cert \
--subject-dn "CN=ds.example.com,O=Example Corp,C=US" \
--key-algorithm EC \
--key-length-bits 256 \
--signature-algorithm SHA256withECDSA \
--subject-alternative-name-dns ds.example.com \
--subject-alternative-name-dns ds1.example.com \
--subject-alternative-name-dns localhost \
--subject-alternative-name-ip-address 1.2.3.4 \
--subject-alternative-name-ip-address 127.0.0.1 \
--subject-alternative-name-ip-address 0:0:0:0:0:0:0:1 \
--key-usage digital-signature \
--key-usage key-encipherment \
--key-usage key-agreement \
--extended-key-usage server-auth \
--extended-key-usage client-auth
Successfully created a new JKS keystore.
Successfully generated the following self-signed certificate:
Subject DN: CN=ds.example.com,O=Example Corp,C=US
Issuer DN: CN=ds.example.com,O=Example Corp,C=US
Validity Start Time: Monday, January 27, 2020 at 03:40:13 PM CST
(0 seconds ago)
Validity End Time: Tuesday, January 26, 2021 at 03:40:13 PM CST
(364 days, 23 hours, 59 minutes, 59 seconds from now)
Validity State: The certificate is currently within the validity window.
Signature Algorithm: SHA-256 with ECDSA
Public Key Algorithm: EC (secP256r1)
SHA-1 Fingerprint: 4f:41:82:7f:08:e9:d8:05:8c:19:8b:3e:5b:bc:59:98:d3:15:71:3a
SHA-256 Fingerprint:
76:e6:8e:c5:c8:8d:27:ce:2b:85:b9:8c:9d:49:3c:06:f4:40:f1:d0:70:67:39:24:fc:
31:bc:f8:51:83:f2:42