PKI Tutorials - Herong's Tutorial Examples - Version 2.02, by Dr. Herong Yang

Generating CSR for a Personal Certificate

This section provides a tutorial example on how to generate a CSR for a personal certificate on an email address with the JDK keytool command.

So how can I get a free personal certificate that can be validated up to a trusted root CA? The answer is go to CAcert.org and get a personal certificate.

1. Go to CAcert.org and "Password Login" to my account with IE 8.

2. Click "New" under the "Client Certificate" menu. Client certificate is really a personal certificate in CAcert.org's term. The "New Client Certificate" page shows up:
Add domain name to CAcert account

3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.

C:\herong>\local\jdk\bin\keytool -genkey -alias herong_yang@yahoo.com 
   -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  herong_yang@yahoo.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=herong_yang@yahoo.com, OU=Unknown, O=Unknown, L=Unknown, 
   ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <herong_yang@yahoo.com>
        (RETURN if same as keystore password): <Return>

4. Use JDK keytool to generate CSR from the private and public key pair:

C:\herong>\local\jdk\bin\keytool -certreq -alias herong_yang@yahoo.com
   -keystore herong.jks -storepass HerongJKS 
   -file herong_yang_yahoo_com.csr

5. Open the CSR file, herong_yang_yahoo_com.csr, in a text editor:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICfzCCAj0CAQAwejEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bj...

...
-----END NEW CERTIFICATE REQUEST-----

Now, I have my own private key and public pair for my email address, herong_yang@yahoo.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herong_yang_yahoo_com.csr ready to send to any CA to sign into a client certificate.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

Digital Signature - OpenOffice.org 3

 OpenOffice.org 3 - Applying Digital Signatures

 Converting KeyStore Files to PKCS12 Files

 Importing Private-Public Key Pair with Internet Options

 Viewing a Certificate with a Private Key

 Importing CA Certificates into the Trusted Store

 Signing OpenOffice.org 3 Document Failed

Generating CSR for a Personal Certificate

 Getting Personal Certificate Signed by CAcert.org

 Storing Personal Certificate with Its Keys

 Installing Personal Certificate with Internet Options

 Signing OpenOffice.org 3 Document Worked

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 Printable Copy - PDF Version

Generating CSR for a Personal Certificate - Updated in 2015, by Dr. Herong Yang