'OpenSSL' Signing CSR Generated by 'keytool'
Part:
1
2
3
4
5
6
(Continued from previous part...)
As a CA, now I have my private key and my public key certificate. I am ready to sign anything.
The next section describes how someone else can use "keytool" to generated public key and ask me to sign it.
One error I had when using the "openssl req -new -x509" command without the "-config openssl.cnf"
option. "OpenSSL" will give you an error like this:
>openssl req -new -key herong.key -x509 -out herong.crt
-days 3650
Unable to load config info
Enter pass phrase for herong.key:
unable to find 'distinguished_name' in config
problems making Certificate Request
2252:error:0E06D06A:configuration file routines:
NCONF_get_string:no conf or environment
variable:conf_lib.c:325:
"keytool" Generating Maria's Private Key
In this section, let's assume that Maria is using the "keytool", She wants to have her own private key
to sign documents. But she needs her public key certificate to be signed by me, Herong for two possible
reasons:
- "keytool" doesn't offer the self-signing certificate function.
- Other people does not trust Maria's signature.
So Maria starts to generated her own private key and store it in a "keystore" file.
This can be done by a single "keytool -genkeypair" command as shown in the following command
session:
>java -version
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
sharing)
>keytool -genkeypair -alias maria_key -keysize 1024
-keystore maria.jks -storepass jkspass -keypass keypass
What is your first and last name?
[Unknown]: Maria Teresa
What is the name of your organizational unit?
[Unknown]: Maria Unit
What is the name of your organization?
[Unknown]: Maria Company
What is the name of your City or Locality?
[Unknown]: Maria City
What is the name of your State or Province?
[Unknown]: Maria State
What is the two-letter country code for this unit?
[Unknown]: AT
Is CN=Maria Teresa, OU=Maria Unit, O=Maria Company, L=Maria City,
ST=Maria State, C=AT correct?
[no]: yes
Here is what Maria did:
- "java -version" command is used to check the Java version.
- "keytool -genkeypair" command is used to generated a key pair: Maria's private key and Maria's public key.
- "java -version" command is used to check the Java version.
- "-keystore maria.jks" option specifies the keystore file name to hold the key pair.
- "-alias maria_key" option specifies the entry name of the key pair in the keystore file, because keystore file
can hold multiple key and certificate entries.
- "-keysize 1024" option specifies the key size to be 1024 bits. To bad, "keytool" can not generated 2048-bit keys.
- "-storepass jkspass" option specifies a password to protect the keystore file.
- "-keypass keypass" option specifies a password to protect "maria_key" entry in the keystore file.
- "keytool" also requires Maria identification information (distinguished name) to be entered at the time
of generating the key pair, which is not really needed for generating a key pair. Distinguished name only needed
when generting certificates.
Want to confirm that Maria's key pair is in the keystore file? Try this command:
>keytool -list -keystore maria.jks -storepass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
maria_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C...
Now Maria is ready to generate a CSR (Certificate Sign Request) to ask me as a CA to sign it
as described in the next section.
(Continued on next part...)
Part:
1
2
3
4
5
6
|