This cheat sheet contains common commands regarding TLS certificate generation and TLS troubleshooting. If you are looking for a script to generate keystore , certificate authority and certificates, I recommend you to check out confluent kafka-generate-ssl.sh script
openssl req -new -nodes -x509 -days 3650 -newkey rsa:2048 -keyout sever.key -out certs/server.crt -config $CONFIG_PATHopenssl req -new -newkey rsa:2048 -keyout server.key -out server.csr -config $CONFIG_PATH -nodesopenssl req -text -in $CERTopenssl s_client -showcerts -connect www.example.com:443curl --cacert /var/lib/secret/ca.pem https://www.example:8443openssl x509 -req -days $DURATION -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile $CONFIG_PATH# First create the keystore
keytool -keystore keystore.server.jks -alias server -validity $DURATION -genkey -keyalg RSA
# Generate a certificate signing request and export it to a file
keytool -keystore keystore.server.jks -alias server -certreq -file $KEYSTORE_SIGN_REQUEST
# Sign the certificate request with OpenSSL and a CA
openssl x509 -req -CA ca.crt -CAkey ca.key -in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT -days $VALIDITY_IN_DAYS -CAcreateserial
# Importing the signed certificate to the keystore
keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import -file $KEYSTORE_SIGNED_CERTopenssl x509 -text -in $CERT# Exporting certificate to PKCS12 format
openssl pkcs12 -export -in server.crt -inkey server.key -chain -CAfile ca.pem -name "kafka.confluent.local" -out server.p12 -password pass:$PASSWORD
# Importing PKCS12 into another keystore (or create it)
keytool -importkeystore -deststorepass $PASSWORD -destkeystore server.keystore.jks -srckeystore server.p12 -deststoretype PKCS12 -srcstoretype PKCS12 -noprompt -srcstorepass $PASSWORDkeytool -keystore truststore.jks -alias $ALIAS -import -file $CRT_FILE -storepass $PASSWORD -noprompt -storetype PKCS12 [ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = dn
default_md = sha256
default_bits = 4096
x509_extensions = v3_ca
[ dn ]
countryName = UK
organizationName = Confluent
localityName = London
commonName = kafka.confluent.local
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints = critical,CA:true
authorityKeyIdentifier=keyid:always,issuer:always
keyUsage = critical,keyCertSign,cRLSign
[req]
prompt = no
distinguished_name = dn
default_md = sha256
default_bits = 4096
req_extensions = v3_req
[ dn ]
countryName = UK
organizationName = Confluent
localityName = London
commonName=kafka.confluent.local
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1=kafka.confluent.local
[req]
prompt = no
distinguished_name = dn
default_md = sha256
default_bits = 4096
req_extensions = v3_req
[ dn ]
countryName = UK
organizationName = Confluent
localityName = London
commonName=kafka.confluent.local
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth