JDK provides the keytool command to create self-signed certificates. What we will first do is create a keystore using the following command:
keytool -genkeypair -alias mysolr -keyalg RSA -keysize 2048 -keypass solrpass -storepass solrpass -validity 3650 -keystore mysolrkeystore.jks
In the preceding command, we are creating a keystore named mysolrkeystore.jks using the RSA algorithm, with a key size of 2048 and validity of 10 years. We have also given the alias name of mysolr and specified the key password and store password. This will open up an interactive prompt, as shown here:
In the interactive prompt, fill in the rest of the details and voilĂ ! You have your keystore ready.
We will now convert this keystore into PEM format, which is accepted by most clients. This requires a two-step process:
- Converting the keystore from JKS to PKCS12 format
- Final conversion to PEM format
In order to do the first conversion to PKCS12 format, we will still use the JDK keytool. The command is as follows:
keytool -importkeystore -srckeystore mysolrkeystore.jks -destkeystore mysolrkeystore.p12 -srcstoretype jks -deststoretype pkcs12
As you can see, we are trying to import the keystore and have specified both source and destination keystore names; finally we've specified the keystore type to be pkcs12. You will see an interactive session opening up again:
As shown here, you will be asked the destination password for the new keystore and also the source keystore password. Keep the password the same as what we entered earlier and you should see that the import will be successfully completed. You will now have mysolrkeystore.p12 in your directory.
Now, for the final conversion, we will use OpenSSL. Issue the following command:
openssl pkcs12 -in mysolrkeystore.p12 -out mysolrkeystore.pem
The command is straightforward. You will be presented with options to specify the password once again. Once you have done so, you will see the folder from where you have issued the command with all the three files (jks, pkcs12, and pem keystores), as shown here:
Congratulations!!! You are one step closer to setting up SSL.