'OpenSSL' Signing CSR Generated by 'keytool'
Part:
1
2
3
4
5
6
(Continued from previous part...)
Want to see some details about my private key? Run the "openssl rsa" command as shown below:
>openssl rsa -in herong.key -text
Enter pass phrase for herong.key: keypass
Private-Key: (2048 bit)
modulus:
00:ba:a3:a2:d1:ab:9b:9f:26:e6:b5:79:b4:52:11:
...
publicExponent: 65537 (0x10001)
privateExponent:
00:9d:62:da:2d:57:3a:2f:36:5d:bc:d0:f9:97:6f:
...
exponent1:
27:6c:ec:a2:b8:78:5f:55:67:b9:47:eb:3e:25:5d:
...
exponent2:
00:a9:17:88:e5:d7:63:c3:7b:f8:6f:57:78:de:53:
...
coefficient:
30:f5:86:b6:81:ad:1d:35:2c:1a:c1:ba:b9:d9:ab:
...
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuqOi0aubnybmtXm0UhE47JSDcCrc/NGtfbtJdk+9...
...
-----END RSA PRIVATE KEY-----
Now I am ready to generate a self-signed public key certificate based on my private key file
as described in the section below.
"OpenSSL" Self-signing CA's Public Key Certificate
As you know, my key file actually contains a pair of keys: my private key and my public key.
My private key will be used only by myself to sign any documents. My public key will be used whoever
receives the document signed by me to verify the signature.
To give out my public key, I need to be put it into a certificate with my name, and signed
by my own private key. This process is call generating a self-signed public key certificate.
OpenSSL can do this in a single command "openssl req -new -x509" as shown in the following
command window session:
>openssl req -new -key herong.key -x509 -days 3650
-out herong.crt -config openssl.cnf
Enter pass phrase for herong.key: keypass
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:
>type herong.crt
-----BEGIN CERTIFICATE-----
MIIElzCCA3+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UE...
...
KqbxyZS65093ifrC0kmfNCY3cq+vBqdMvpV9
-----END CERTIFICATE-----
Here is what happened:
- "req" command is used to generate a certificate signing request or self-signed certificate.
- "-new" option is used to prompt for certificate "subject" information.
- "-key herong.key" option is used to specify my key file containing my private key and public key. Password will be prompted.
- "-x509" option is used to tell "req" to generate self-signed certificate.
- "-days 3650" option is used to make the self-signed certificate valid for 3650 days, about 10 years.
- "-out herong.crt" option is used to tell "req" to store the self-signed certificate in a file called "herong.crt".
- "-config openssl.cnf" option is used to specify the configuration file.
- When you are prompted for distinguished name information, just press Enter key to take the default values.
- "type herong.crt" is Windows command to show the content of "herong.crt".
Want to see some details about my self-signed certificate? Run the "openssl rsa" as shown below:
>openssl x509 -in herong.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CA, ST=HY State, L=HY City, O=HY Company,
OU=HY Unit, CN=Herong Yang/emailAddress=herongyang.com
Validity
Not Before: Apr 1 14:07:29 2007 GMT
Not After : Mar 29 14:07:29 2017 GMT
Subject: C=CA, ST=HY State, L=HY City, O=HY Company,
OU=HY Unit, CN=Herong Yang/emailAddress=herongyang.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ba:a3:a2:d1:ab:9b:9f:26:e6:b5:79:...
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
36:7C:F4:4A:A4:9B:C9:B5:C5:F7:09:3F:31:1...
X509v3 Authority Key Identifier:
keyid:36:7C:F4:4A:A4:9B:C9:B5:C5:F7:09:3...
DirName:/C=CA/ST=HY State/L=HY City
/O=HY Company/OU=HY Unit/CN=Herong Yang
/emailAddress=herongyang.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
aa:40:06:c0:cb:28:74:b1:1e:c2:a2:89:4f:8d:1e:9c:...
...
Notice that a default serial number, 0, is used when self-signing your own CA public key certificate.
(Continued on next part...)
Part:
1
2
3
4
5
6
|