Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

'OpenSSL' Signing CSR Generated by 'keytool'

Part:   1  2  3  4  5  6 

(Continued from previous part...)

Want to see some details about my private key? Run the "openssl rsa" command as shown below: 

>openssl rsa -in herong.key -text
Enter pass phrase for herong.key: keypass
Private-Key: (2048 bit)
modulus:
    00:ba:a3:a2:d1:ab:9b:9f:26:e6:b5:79:b4:52:11:
    ...
publicExponent: 65537 (0x10001)
privateExponent:
    00:9d:62:da:2d:57:3a:2f:36:5d:bc:d0:f9:97:6f:
    ...
exponent1:
    27:6c:ec:a2:b8:78:5f:55:67:b9:47:eb:3e:25:5d:
    ...
exponent2:
    00:a9:17:88:e5:d7:63:c3:7b:f8:6f:57:78:de:53:
    ...
coefficient:
    30:f5:86:b6:81:ad:1d:35:2c:1a:c1:ba:b9:d9:ab:
    ...
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuqOi0aubnybmtXm0UhE47JSDcCrc/NGtfbtJdk+9...
    ...
-----END RSA PRIVATE KEY-----

Now I am ready to generate a self-signed public key certificate based on my private key file as described in the section below.

"OpenSSL" Self-signing CA's Public Key Certificate

As you know, my key file actually contains a pair of keys: my private key and my public key. My private key will be used only by myself to sign any documents. My public key will be used whoever receives the document signed by me to verify the signature.

To give out my public key, I need to be put it into a certificate with my name, and signed by my own private key. This process is call generating a self-signed public key certificate. OpenSSL can do this in a single command "openssl req -new -x509" as shown in the following command window session: 

>openssl req -new -key herong.key -x509 -days 3650 
   -out herong.crt -config openssl.cnf
   
Enter pass phrase for herong.key: keypass
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [HY State]:
Locality Name (eg, city) [HY City]:
Organization Name (eg, company) [HY Company]:
Organizational Unit Name (eg, section) [HY Unit]:
Common Name (eg, YOUR name) [Herong Yang]:
Email Address [herongyang.com]:

>type herong.crt

-----BEGIN CERTIFICATE-----
MIIElzCCA3+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UE...
...
KqbxyZS65093ifrC0kmfNCY3cq+vBqdMvpV9
-----END CERTIFICATE-----

Here is what happened:

  • "req" command is used to generate a certificate signing request or self-signed certificate.
  • "-new" option is used to prompt for certificate "subject" information.
  • "-key herong.key" option is used to specify my key file containing my private key and public key. Password will be prompted.
  • "-x509" option is used to tell "req" to generate self-signed certificate.
  • "-days 3650" option is used to make the self-signed certificate valid for 3650 days, about 10 years.
  • "-out herong.crt" option is used to tell "req" to store the self-signed certificate in a file called "herong.crt".
  • "-config openssl.cnf" option is used to specify the configuration file.
  • When you are prompted for distinguished name information, just press Enter key to take the default values.
  • "type herong.crt" is Windows command to show the content of "herong.crt".

Want to see some details about my self-signed certificate? Run the "openssl rsa" as shown below: 

>openssl x509 -in herong.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CA, ST=HY State, L=HY City, O=HY Company,
OU=HY Unit, CN=Herong Yang/emailAddress=herongyang.com
        Validity
            Not Before: Apr 1 14:07:29 2007 GMT
            Not After : Mar 29 14:07:29 2017 GMT
        Subject: C=CA, ST=HY State, L=HY City, O=HY Company,
OU=HY Unit, CN=Herong Yang/emailAddress=herongyang.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ba:a3:a2:d1:ab:9b:9f:26:e6:b5:79:...
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                36:7C:F4:4A:A4:9B:C9:B5:C5:F7:09:3F:31:1...
            X509v3 Authority Key Identifier:
                keyid:36:7C:F4:4A:A4:9B:C9:B5:C5:F7:09:3...
                DirName:/C=CA/ST=HY State/L=HY City
/O=HY Company/OU=HY Unit/CN=Herong Yang
/emailAddress=herongyang.com
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        aa:40:06:c0:cb:28:74:b1:1e:c2:a2:89:4f:8d:1e:9c:...
        ...

Notice that a default serial number, 0, is used when self-signing your own CA public key certificate.

(Continued on next part...)

Part:   1  2  3  4  5  6 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - 'OpenSSL' Signing CSR Generated by 'keytool'