"keytool -gencert" - Sign CSR with CA certificate

PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool -gencert" - Sign CSR with CA certificate

This section provides a tutorial example on how to use the 'keytool -gencert' command to sign a CSR with a self-signed root CA certificate and its private/public key pair.

In the this tutorial, I want to generate a Generate CSR (Certificate Signing Request) from my self-signed certificate and its private/public key pair.

1. Generate a root CA certificate.

herong$ keytool -genkeypair -keyalg ec -alias my_root \
  -keystore herong.jks -storepass HerongJKS

Enter the distinguished name. Provide a single dot (.) to leave 
a sub-component empty or press ENTER to use the default value 
in braces.

What is your first and last name?
  [Unknown]:  ZZ Root CA
What is the name of your organizational unit?
  [Unknown]:  .
What is the name of your organization?
  [Unknown]:  .
What is the name of your City or Locality?
  [Unknown]:  .
What is the name of your State or Province?
  [Unknown]:  .
What is the two-letter country code for this unit?
  [Unknown]:  ZZ
Is CN=ZZ Root CA, C=ZZ correct?
  [no]:  yes

Generating 384 bit EC (secp384r1) key pair and self-signed 
certificate (SHA384withECDSA) with a validity of 90 days
  for: CN=ZZ Root CA, C=ZZ

2. Sign the CSR generated from the last tutorial with the root CA certificate.

herong$ keytool -gencert -infile my_home.csr \
  -outfile my_home.pem -rfc -alias my_root \
  -keystore herong.jks -storepass HerongJKS

3. Look at my new certificate.

herong$ more my_home.pem 

-----BEGIN CERTIFICATE-----
MIICBDCCAYqgAwIBAgIJAOcyJtBJSphsMAoGCCqGSM49BAMDMCIxCzAJBgNVBAYT
AlpaMRMwEQYDVQQDEwpaWiBSb290IENBMB4XDTI0MTEyNjIwMzUzM1oXDTI1MDIy
...
d/l+SBB7If+iHdy42vaQop9dGPrX5xieXADt+NxqUFwRqSMl0pSqYg==
-----END CERTIFICATE-----

4. print out information from the certificate.

herong$ keytool -printcert -file my_home.pem 

Owner: CN=Herong Yang, O=My Home, L=My City, ST=My State, C=US
Issuer: CN=ZZ Root CA, C=ZZ
Serial number: e73226d0494a986c
Valid from: Tue Nov 26 15:35:33 EST 2024 until: Mon Feb 24 ...
Certificate fingerprints:
   SHA1: B7:2B:3C:88:97:2B:BC:B2:F3:EA:09:2C:B9:66:B9:64:EC:CD:43:87
   SHA256: C7:43:BD:FB:98:5B:03:F9:72:D9:04:46:57:F3:02:73:C0:3A:...
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9D CC C2 A3 33 9E 6E 61   C6 ED B5 A7 0F 1E 1A C2 
0010: 52 8B A3 1C                                       
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 38 B5 80 C8 FD 32 A1 FC   DB 3F 3C 88 63 45 3D D1 
0010: 42 2D 2E AC                                       
]
]

Cool! I have successfully completed the entire certificate generation process using "openssl" commands: from private/public key generation, to CSR generation, to self-signed CA certificate generation, to CSR signing.

The final output, my_home.pem, binds my name to my public key and bears a digital signature issued by a CA. But it contains only minimum information and not suitable for any PKI application.

Note that the "keytool -gencert" command does not have any options to sign a CSR with an intermediate CA certificate. In this case, the intermediate CA certificate and its private key are not stored as a single entry in a KeyStore file.