'OpenSSL' Signing CSR Generated by 'keytool'
Part:
1
2
3
4
5
6
(Continued from previous part...)
"keytool" Importing Maria's Own Certificate
After importing CA's certificate (Herong's certificate), Maria should import her own certificate
which was signed by the CA (Herong) using the "keytool -importcert" command
as shown below:
>keytool -importcert -alias maria_crt -keypass keypass
-file maria.crt -keystore maria.jks -storepass jkspass
Certificate was added to keystore
The command was the same one used to import CA's certificate. But this time, "keytool" did not
ask Maria to trust this certificate or not. It looks like "keytool" did a validation and
found that Maria's certificate was signed by a trusted certificate, herong_crt, in the keystore.
Want to see what's in the keystore file now?
Try this "keytool -list" command:
>keytool -list -keystore maria.jks -storepass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
maria_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C...
herong_crt, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): C1:6C:FE:38:F7:0F:71:23:3...
maria_crt, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 5B:AB:DC:62:6E:F4:F4:96:5...
Conclusion
- "OpenSSL" is a nice tool to sign certificate as a CA.
- "keytool" can not be used to sign certificates. But it can generate key pairs and CSR (Certificate Sign Request).
- "OpenSSL" can generate 2048-bit keys. "keytool" can only generate upto 1024-bit keys.
- CSR generated by "keytool" is compatible for "OpenSSL" to sign it into a certificate.
- Certificates generated by "OpenSSL" is compatible for "keytool" to import into keystore files.
Part:
1
2
3
4
5
6
|