Generating a server certificate from a certificate authority

For clients to verify a server's identitiy, the certificate authority (CA) must issue a signed server certificate to the server.

About this task

The following steps describe how to configure X.509 certificates using the OpenSSL toolkit and openssl commands. However, you can complete these steps using a different key management tool of your choice.


  1. Create a certificate signing request (CSR) and private key file using openssl. For example:
    openssl req -newkey  rsa:4096 -out request.csr -keyout key.pem  -nodes -sha256
    The openssl command prompts you for additional information to include in the CSR. For information on how to change algorithms, keystrength, extended attributes, and so forth, see the openssl documentation or use the command openssl req -help.
  2. Submit the CSR to the CA to generate a certificate. Each CA has its own method for completing this step.
  3. Combine the private key, the CA-provided certificate file (certificate.crt), and any CA roots/intermediaries (CA.crt) into one key store in PKCS12 format:
    For example:
    openssl pkcs12 -export -out mykeystore.p12 -inkey key.pem -in mycert.crt -certfile CA.crt
  4. Validate the PKCS12 file:
    openssl pkcs12 -in mykeystore.p12 -noout -info