PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Generating Certificate Signing Request (CSR)
This section provides a tutorial example on how to generate a private and public key pair for the domain name of a Web server and generate the Certificate Signing Request (CSR) asking a CA to sign the pubic key into a server certificate using JDK keytool command.
With the domain name added to CAcert, I should be able to get a free server certificate now.
1. Go to CAcert.org and "Password Login" to my account.
2. Click "New" under the "Server Certificate" menu. The "CSR (Certificate Signing Request)" page shows up:
3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.
herong> keytool -genkey -alias herongyang.com \ -keystore herong.jks -storepass HerongJKS What is your first and last name? [Unknown]: herongyang.com What is the name of your organizational unit? [Unknown]: herongyang.com What is the name of your organization? [Unknown]: herongyang.com What is the name of your City or Locality? [Unknown]: L What is the name of your State or Province? [Unknown]: ST What is the two-letter country code for this unit? [Unknown]: C Is CN=herongyang.com, OU=herongyang.com, O=herongyang.com, L=L, ST=ST, C=C correct? [no]: yes Enter key password for <herongyang.com> (RETURN if same as keystore password): <Return>
4. Use JDK keytool to generate CSR from the private and public key pair:
herong> keytool -certreq -alias herongyang.com \ -keystore herong.jks -storepass HerongJKS -file herongyang_com.csr
5. Open the CSR file, herongyang_com.csr, in a text editor:
-----BEGIN NEW CERTIFICATE REQUEST----- MIICeTCCAjcCAQAwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlBBMQ4wDAYDVQQHEw... ... -----END NEW CERTIFICATE REQUEST-----
Now, I have my own private key and public pair for my Web server, herongyang.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herongyang_com.csr ready to send to any CA to sign into a server certificate.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
►CAcert.org - Root CA Offering Free Certificates
Installing CAcert.org Root CA in Firefox
Installing CAcert.org Root CA in IE
Adding and Validating Domain Names
►Generating Certificate Signing Request (CSR)
Getting Server Certificate Signed by CAcert.org
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3