PKI Tutorials - Herong's Tutorial Examples
Dr. Herong Yang, Version 2.00

Generating CSR for a Personal Certificate

This section provides a tutorial example on how to generate a CSR for a personal certificate on an email address with the JDK keytool command.

So how can I get a free personal certificate that can be validated up to a trusted root CA? The answer is go to CAcert.org and get a personal certificate.

1. Go to CAcert.org and "Password Login" to my account with IE 8.

2. Click "New" under the "Client Certificate" menu. Client certificate is really a personal certificate in CAcert.org's term. The "New Client Certificate" page shows up:
Add domain name to CAcert account

3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.

C:\herong>\local\jdk\bin\keytool -genkey -alias herong_yang@yahoo.com 
   -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  herong_yang@yahoo.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=herong_yang@yahoo.com, OU=Unknown, O=Unknown, L=Unknown, 
   ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <herong_yang@yahoo.com>
        (RETURN if same as keystore password): <Return>

4. Use JDK keytool to generate CSR from the private and public key pair:

C:\herong>\local\jdk\bin\keytool -certreq -alias herong_yang@yahoo.com
   -keystore herong.jks -storepass HerongJKS 
   -file herong_yang_yahoo_com.csr

5. Open the CSR file, herong_yang_yahoo_com.csr, in a text editor:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICfzCCAj0CAQAwejEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bj...

...
-----END NEW CERTIFICATE REQUEST-----

Now, I have my own private key and public pair for my email address, herong_yang@yahoo.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herong_yang_yahoo_com.csr ready to send to any CA to sign into a client certificate.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 8

 Using HTTPS with Firefox 3

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

Digital Signature - OpenOffice.org 3

 OpenOffice.org 3 - Applying Digital Signatures

 Converting KeyStore Files to PKCS12 Files

 Importing Private-Public Key Pair with Internet Options

 Viewing a Certificate with a Private Key

 Importing CA Certificates into the Trusted Store

 Signing OpenOffice.org 3 Document Failed

Generating CSR for a Personal Certificate

 Getting Personal Certificate Signed by CAcert.org

 Storing Personal Certificate with Its Keys

 Installing Personal Certificate with Internet Options

 Signing OpenOffice.org 3 Document Worked

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 References

 Printable Copy - PDF Version

Dr. Herong Yang, updated in 2011
Generating CSR for a Personal Certificate