'OpenSSL' Signing CSR Generated by 'keytool'
After I published my notes on "OpenSSL" and "keytool", many viewers have asked questions
about the compatibility between those two tools. In this chapter, I will test how "OpenSSL"
and "keytool" can work together with following scenarios:
- Setting Up "OpenSSL" to be used as a CA (Certificate Authority).
- Using "OpenSSL" to generate CA's private and public key pair.
- Using "OpenSSL" to self-sign CA's public key certificate.
- Using "keytool" to generate a private and public key pair.
- Using "keytool" to generate a CSR (Certificate Sign Request) from a key pair.
- Using "OpenSSL" to sign a CSR with CA's key pair and public key certificate.
- Using "keytool" to import signed certificates into keystore files.
Using OpenSSL to Act as a CA (Certificate Authority)
If I want to act as a CA (Certificate Authority), I must have a tool
to sign other people's CSR (Certificate Signing Request). As we learned from
previous tutorials, "keytool" can not sign CSR. So I must use "OpenSSL"
to act as a CA.
Here is a list of things I need to do with "OpenSSL" as a CA:
- Install "OpenSSL" installed properly and create configuration file, openssl.cnf.
- Created a CA private key file with 2048-bit keys, and protect it with a password.
- Self-sign my CA public key certificate, which can be given out to anyone.
Let's check the "OpenSSL" installation first. If "OpenSSL" was installed at \local\GnuWin32\,
the following command should report back the version number:
OpenSSL 0.9.7c 30 Sep 2003
To save typing time, I added \local\gnuwin32\bin\ to the PATH environment variable as shown above.
Then look at the configuration file, openssl.cnf, which is needed only when I self-signing my CA public certificate.
I can use the openssl.cnf as is without any changes. But if I want to put in my CA distinguished name information
to save time when self-signing my CA public certificate:
countryName_default = CA
stateOrProvinceName_default = HY State
localityName_default = HY City
0.organizationName_default = HY Company
organizationalUnitName_default = HY Unit
commonName_default = Herong Yang
emailAddress_default = herongyang.com
So I am ready to generated my CA private key as described in the next section.
"OpenSSL" Generating CA's Private Key
As a CA, I must have good private key and securely store it in a file.
This can be done with a single OpenSSL command "openssl genrsa"
as shown in the following command window session:
>openssl genrsa -out herong.key -des 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for herong.key: keypass
Verifying - Enter pass phrase for herong.key: keypass
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Notes about what I did here:
- "genrsa" command is used to generate a pair of private key and public key using RSA algorithm.
- "-out herong.key" tells openssl to store the private key in a file called herong.key.
- "-des" option is used to encrypt my private key file "herong.key" with DES algorithm.
- "2048" used to force openssl to generate keys a length of 2048 bits. The default length is 512.
Longer keys give better protection.
- "-outpass keypass" is not used on the command line, because it does not work (See the test below).
So I entered it when "OpenSSL" prompted for it.
- "type herong.key" is Windows command to shows the content of "herong.key".
Error message received when "-outpass keypass" is used:
>openssl genrsa -out test.key -des -passout keypass 2048
Invalid password argument "keypass"
Error getting password
(Continued on next part...)