Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

'OpenSSL' Signing CSR Generated by 'keytool'

Part:   1  2  3  4  5  6 

(Continued from previous part...)

"keytool" Managing Serial Numbers when Signing CSR

One error I had when using the "openssl x509 -req" command without providing serial number options. "OpenSSL" will give you an error like this:

>openssl x509 -req -in maria.csr -CA herong.crt 
-CAkey herong.key -out maria.crt -days 365

Loading 'screen' into random state - done
Signature ok
subject=/C=AT/ST=Maria State/L=Maria City/O=Maria Company
/OU=Maria Unit/CN=Maria Teresa
Getting CA Private Key
Enter pass phrase for herong.key: keypass
herong.srl: No such file or directory
2744:error:02001002:system library:fopen:No such file or directory:
bss_file.c:276:fopen('herong.srl','rb')
2744:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:

"OpenSSL" will try to open a file named "herong.srl". The error message is not clear at all. It does not say that "herong.srl" is the serial number file. There are 3 ways to supply a serial number to the "openssl x509 -req" command:

  • Create a text file named as "herong.srl" and put a number in the file.
  • Use the "-set_serial n" option to specify a number each time.
  • Use the "-CAcreateserial -CAserial herong.seq" option to let "OpenSSL" to create and manage the serial number.

"keytool" Importing CA's Certificate into Keystore Files

When Maria receives my CA self-signed public key certificate file, she needs to imported it into her keystore file with the "keytool -importcert" command as shown below:

>keytool -importcert -alias herong_crt -keypass keypass 
-file herong.crt -keystore maria.jks -storepass jkspass

Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang, 
OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang, 
OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY
Serial number: 0
Valid from: Sun Apr 1:42:10 EDT 2007 
until: Wed Mar 29 23:42:10 EDT 2017
Certificate fingerprints:
         MD5:  2D:95:8D:5F:0F:4A:9B:CC:A2:69:61:F6:22:AE...
         SHA1: 1F:BB:C7:78:97:AC:C8:BF:7B:A4:88:DF:B5:62...
         Signature algorithm name: MD5withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...

[EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit, 
O=HY Company, L=HY City, ST=HY State, C=HY]
SerialNumber: [    00]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Notes on what Maria did:

  • "keytool -importcert" commands imports a certificate into a keystore file.
  • "-alias herong_crt" option specifies a new entry name for the imported certificate.
  • "-keypass keypass" option specifies a password to protect this new entry.
  • "-file herong.crt" option specifies the file name of certificate to be imported.
  • "-keystore maria.jks -storepass jkspass" option specifies the keystore file name and its password.
  • Maria entered "yes" when "keytool" asked to trust this certificate or not.

Want to see if the certificate was imported correctly or not? Try this "keytool -list" command:

>keytool -list -keystore maria.jks -storepass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

maria_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C...
herong_crt, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): C1:6C:FE:38:F7:0F:71:23:3...

As we can see, my CA certificate was imported ok and stored as a "trustedCertEntry". So certificates generated by "OpenSSL" is compatible with "keytool" certificate format.

If Maria made a mistake when import my certificate, she could use this command to delete my certificate from her keystore file:

>keytool -delete -alias herong_crt -keystore maria.jks 
-storepass jkspass

Now Maria is ready to import her own public key certificate signed by me as described in the next section.

(Continued on next part...)

Part:   1  2  3  4  5  6 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - 'OpenSSL' Signing CSR Generated by 'keytool'