After generating a certificate signing request, the next step is to request actual certificate signed by certificate authority. One of the easiest and fastest ways to issue such certificate is to request it from Comodo CA. This company offers free of charge short-term 90-days certificates, recognisable by all modern and legacy browsers. Sign up and follow instructions to issue InstantSSL Trial Certificate valid for 90 days.
Alternatively, it is possible to issue free certificate from RapidSSL CA. This company offers free of charge short-term 30-days certificate, recognisable by all modern and legacy browsers. RapidSSL free certificate (DV)
There is an alternative way to get 90-days certificate from Let’s Encrypt CA. This CA offers to issue certificate via an automated process designed to eliminate the hitherto complex process of manual certificate creation. The command below allows to issue certificate, using provided certificate request:
certbot certonly -n --csr /path/to/csr/request.csr --fullchain-path /path/to/issued/certificate.crt --cert-name certificate-name -d www.example.com -d example.com --webroot -w /path/to/web/root --agree-tos --expand --email email@example.com
It is often useful to issue a certificate yourself, for instance, when it is required to keep encrypted communication channels. Note, browsers and other software won't trust such certificates. Following command generates certificate:
openssl x509 -req -days 365 -in csr-request.csr -signkey pem-private.key -out certificate.crt
Some software supports certificates in certain format only. For example, java applications, such as TomCat web server, support ssl certificates as bundle in java trust store format only. In order to convert certificate and private key from .pem format to .keystore format, follow these steps:
Firstly, convert the certificate and the private key to pkcs12 format. Openssl tool has pkcs12 command that allows to do so:
openssl pkcs12 -export -in certificate.crt -inkey private.key -out certificate-bundle.pkcs12 -password pass:
Option -password allows to set passphrase, witch is empty in given example.
Secondly, we have to convert certificate in .pkcs12 format to java .keystore format:
keytool -importkeystore -srckeystore certificate-bundle.pkcs12 -srcstoretype pkcs12 -destkeystore certificate-bundle.jks -srcstorepass "" -deststorepass 1234567890 -destkeypass 1234567890 -srcalias 1 -destalias 1 -deststoretype jks
Note, that it is mandatory to set a password to each certificate in trust store. It can be done interactively, or with options -deststorepass and -destkeypass.