PKI Tutorials - Herong's Tutorial Examples - Version 2.03, by Dr. Herong Yang
Generating CSR for a Personal Certificate
This section provides a tutorial example on how to generate a CSR for a personal certificate on an email address with the JDK keytool command.
So how can I get a free personal certificate that can be validated up to a trusted root CA? The answer is go to CAcert.org and get a personal certificate.
1. Go to CAcert.org and "Password Login" to my account with IE 8.
2. Click "New" under the "Client Certificate" menu. Client certificate is really a personal certificate in CAcert.org's term.
The "New Client Certificate" page shows up:
3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.
C:\herong>\local\jdk\bin\keytool -genkey -alias firstname.lastname@example.org -keystore herong.jks -storepass HerongJKS What is your first and last name? [Unknown]: email@example.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CNfirstname.lastname@example.org, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <email@example.com> (RETURN if same as keystore password): <Return>
4. Use JDK keytool to generate CSR from the private and public key pair:
C:\herong>\local\jdk\bin\keytool -certreq -alias firstname.lastname@example.org -keystore herong.jks -storepass HerongJKS -file herong_yang_yahoo_com.csr
5. Open the CSR file, herong_yang_yahoo_com.csr, in a text editor:
-----BEGIN NEW CERTIFICATE REQUEST----- MIICfzCCAj0CAQAwejEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bj... ... -----END NEW CERTIFICATE REQUEST-----
Now, I have my own private key and public pair for my email address, email@example.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herong_yang_yahoo_com.csr ready to send to any CA to sign into a client certificate.
Last update: 2011.
Table of Contents