Signing a Certificate Signing Request

Cryptography Tutorials - Herong's Tutorial Examples

∟Signing a Certificate Signing Request

This section provides a tutorial example on how to sign someone else's certificate signing request with your self-signed certificate.

Even though I am not a well established CA, but I can still use OpenSSL to sign somebody else's certificate. The following process shows you how Herong Yang signs John Smith's certificate:

>echo generating a key pair for John
>openssl genrsa -out john_rsa.key
Loading 'screen' into random state - done
Generating RSA private key, 512 bit long modulus
..................++++++++++++
.++++++++++++
e is 65537 (0x10001)

>echo generating the certificate signing request for John
>openssl req -new -key john_rsa.key -out john.csr 
   -config openssl.cnf
   
You are about to be asked to enter information that will be incorp...
into your certificate request.
What you are about to enter is what is called a Distinguished Name...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:John Smith
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

>echo signing John's request with Herong's certificate and key
>openssl x509 -req -in john.csr -CA herong.crt 
   -CAkey herong_rsa_des.key -out john.crt

Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
Getting CA Private Key
Enter pass phrase for herong_rsa_des.key:

>echo looking at John's certificate
>openssl x509 -in john.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 5 (0x5)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=PN, L=CN, O=ON, OU=UN, CN=Herong Yang
        Validity
            Not Before: Jul 17 03:10:39 2002 GMT
            Not After : Aug 16 03:10:39 2002 GMT
        Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=John Smith
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:d4:a4:be:ce:2d:be:88:56:ef:d3:de:13:15:33:
                    59:84:ea:08:fe:bc:c8:70:93:30:c0:c4:c5:de:e3:
                    65:e8:98:e1:15:12:27:d4:00:69:6e:22:fa:c3:72:
                    4a:75:a6:d8:66:dc:ec:12:f6:92:94:09:3c:3a:61:
                    69:47:99:b3:91
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        57:a5:9f:93:8e:f8:69:cd:9b:70:ff:f5:fc:78:e3:f6:da:70:
        b9:5d:d6:a8:ac:ae:76:41:13:04:99:28:97:55:9b:5e:94:c7:
        c5:59:26:77:33:cb:67:aa:1c:d5:0e:b7:de:33:73:b1:f6:3a:
        0b:c2:d9:6a:5b:f1:d1:ab:60:9b

This is nice. Now I can sign anyone's certificate, and become a CA! All I need is my RSA key pair, herong_rsa_des.key, my self-signed certificate, herong.crt, and the "x509" command.

Last update: 2013.

Table of Contents

About This Book

Cryptography Terminology

Cryptography Basic Concepts

Introduction to AES (Advanced Encryption Standard)

Introduction to DES Algorithm

DES Algorithm - Illustrated with Java Programs

DES Algorithm Java Implementation

DES Algorithm - Java Implementation in JDK JCE

DES Encryption Operation Modes

DES in Stream Cipher Modes