Generating CSR for a Personal Certificate

This section provides a tutorial example on how to generate a CSR for a personal certificate on an email address with the JDK keytool command.

So how can I get a free personal certificate that can be validated up to a trusted root CA? The answer is go to CAcert.org and get a personal certificate.

1. Go to CAcert.org and "Password Login" to my account with IE 8.

2. Click "New" under the "Client Certificate" menu. Client certificate is really a personal certificate in CAcert.org's term. The "New Client Certificate" page shows up:

Add domain name to CAcert account
Add domain name to CAcert account

3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.

herong> keytool -genkey -alias herong_yang@yahoo.com \
   -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  herong_yang@yahoo.com
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=herong_yang@yahoo.com, OU=Unknown, O=Unknown, L=Unknown,
   ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <herong_yang@yahoo.com>
        (RETURN if same as keystore password): <Return>

4. Use JDK keytool to generate CSR from the private and public key pair:

herong> keytool -certreq -alias herong_yang@yahoo.com \
   -keystore herong.jks -storepass HerongJKS \
   -file herong_yang_yahoo_com.csr

5. Open the CSR file, herong_yang_yahoo_com.csr, in a text editor:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICfzCCAj0CAQAwejEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bj...

...
-----END NEW CERTIFICATE REQUEST-----

Now, I have my own private key and public pair for my email address, herong_yang@yahoo.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herong_yang_yahoo_com.csr ready to send to any CA to sign into a client certificate.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

 macOS Certificate Stores and Keychain Access

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

Digital Signature - OpenOffice.org 3

 OpenOffice.org 3 - Applying Digital Signatures

 Converting KeyStore Files to PKCS12 Files

 Importing Private-Public Key Pair with Internet Options

 Viewing a Certificate with a Private Key

 Importing CA Certificates into the Trusted Store

 Signing OpenOffice.org 3 Document Failed

Generating CSR for a Personal Certificate

 Getting Personal Certificate Signed by CAcert.org

 Storing Personal Certificate with Its Keys

 Installing Personal Certificate with Internet Options

 Signing OpenOffice.org 3 Document Worked

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Archived Tutorials

 References

 Full Version in PDF/EPUB