If you are interested in creating your own root CA certificate then read on.
The command line below will generate a root CA certificate (who by their nature are self-signed) with a keysize of 8192 and using the RSA key algorithm and a lifetime of 365 days from the time you issue the command.
Additional we say this certificate is a root CA certificate that will be used for certificate and revocation list signing.
keytool -keystore my-ca.jks -genkeypair
-alias my-ca -dname "CN=My CA"
-keyalg rsa -keysize 8192 -validity 365 -noprompt
-ext BasicConstraints:critical=CA:true
-ext KeyUsage:critical=keyCertSign,cRLSign
As we know that we will need to import the root CA certificate we will generate a PEM file for it.
keytool -exportcert -keystore my-ca.jks -rfc
-alias my-ca > my-ca.pem
In the next blog entry we will create an intermediate CA so we can keep the root CA keystore safe.
Posted August 1, 2015