Create certificate and private key

selfsigncert.sh:

#!/bin/bash
# For HTTPS servers remember to put the
# server FQDN in the CN.

basename="$1"
subject="$2"

KEY="$basename.key"
CSR="$basename.csr"
CRT="$basename.crt"

# Generate key
openssl genrsa -out "$KEY" 1024 || exit 1

# Certificate Signing Request (Remember to modify the signing request subject)
openssl req -new -key "$KEY" -out "$CSR" -subj "$subject" || exit 1

# Self sign
openssl x509 -req -days 1000 -in "$CSR" -out "$CRT" -signkey "$KEY" || exit 1

User/role certificate

./selfsigncert.sh myCert "/C=DK/O=my Organisation/OU=my Department/CN=my Name"

Web server certificate:

./selfsigncert.sh myCert "/C=DK/O=KB/OU=DIS/CN=myhost.kb.dk"

For self signed certificates, the .csr-file can be safely ignored

Optionally create java keystore from certificate, eg. for activemq

Convert the broker key and certificate to PKCS12 format - enter a password when prompted and use that password again for the next step

  openssl pkcs12 -export -in broker.crt -inkey broker.key -out broker.p12

Import the server key from the p12 file. Note that redhats builtin keytool is bogus!

  <path_to_jre_or_jdk>/keytool    \
          -importkeystore         \
          -srckeystore broker.p12 \
          -srcstoretype pkcs12    \
          -destkeystore broker.ks \
          -storepass 123456