Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

'OpenSSL' Signing CSR Generated by 'keytool'

Part:   1  2  3  4  5  6 

(Continued from previous part...)

As a CA, now I have my private key and my public key certificate. I am ready to sign anything. The next section describes how someone else can use "keytool" to generated public key and ask me to sign it.

One error I had when using the "openssl req -new -x509" command without the "-config openssl.cnf" option. "OpenSSL" will give you an error like this:

>openssl req -new -key herong.key -x509 -out herong.crt 
-days 3650
Unable to load config info
Enter pass phrase for herong.key:
unable to find 'distinguished_name' in config
problems making Certificate Request
2252:error:0E06D06A:configuration file routines:
NCONF_get_string:no conf or environment 
variable:conf_lib.c:325:

"keytool" Generating Maria's Private Key

In this section, let's assume that Maria is using the "keytool", She wants to have her own private key to sign documents. But she needs her public key certificate to be signed by me, Herong for two possible reasons:

  • "keytool" doesn't offer the self-signing certificate function.
  • Other people does not trust Maria's signature.

So Maria starts to generated her own private key and store it in a "keystore" file. This can be done by a single "keytool -genkeypair" command as shown in the following command session:

>java -version

java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
  sharing)
  
>keytool -genkeypair -alias maria_key -keysize 1024 
   -keystore maria.jks -storepass jkspass -keypass keypass
What is your first and last name?
  [Unknown]:  Maria Teresa
What is the name of your organizational unit?
  [Unknown]:  Maria Unit
What is the name of your organization?
  [Unknown]:  Maria Company
What is the name of your City or Locality?
  [Unknown]:  Maria City
What is the name of your State or Province?
  [Unknown]:  Maria State
What is the two-letter country code for this unit?
  [Unknown]:  AT
Is CN=Maria Teresa, OU=Maria Unit, O=Maria Company, L=Maria City, 
ST=Maria State, C=AT correct?
  [no]:  yes

Here is what Maria did:

  • "java -version" command is used to check the Java version.
  • "keytool -genkeypair" command is used to generated a key pair: Maria's private key and Maria's public key.
  • "java -version" command is used to check the Java version.
  • "-keystore maria.jks" option specifies the keystore file name to hold the key pair.
  • "-alias maria_key" option specifies the entry name of the key pair in the keystore file, because keystore file can hold multiple key and certificate entries.
  • "-keysize 1024" option specifies the key size to be 1024 bits. To bad, "keytool" can not generated 2048-bit keys.
  • "-storepass jkspass" option specifies a password to protect the keystore file.
  • "-keypass keypass" option specifies a password to protect "maria_key" entry in the keystore file.
  • "keytool" also requires Maria identification information (distinguished name) to be entered at the time of generating the key pair, which is not really needed for generating a key pair. Distinguished name only needed when generting certificates.

Want to confirm that Maria's key pair is in the keystore file? Try this command:

>keytool -list -keystore maria.jks -storepass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

maria_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C...

Now Maria is ready to generate a CSR (Certificate Sign Request) to ask me as a CA to sign it as described in the next section.

(Continued on next part...)

Part:   1  2  3  4  5  6 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - 'OpenSSL' Signing CSR Generated by 'keytool'