'OpenSSL' Signing CSR Generated by 'keytool'
Part:
1
2
3
4
5
6
(Continued from previous part...)
"keytool" Managing Serial Numbers when Signing CSR
One error I had when using the "openssl x509 -req" command without providing serial number options.
"OpenSSL" will give you an error like this:
>openssl x509 -req -in maria.csr -CA herong.crt
-CAkey herong.key -out maria.crt -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=AT/ST=Maria State/L=Maria City/O=Maria Company
/OU=Maria Unit/CN=Maria Teresa
Getting CA Private Key
Enter pass phrase for herong.key: keypass
herong.srl: No such file or directory
2744:error:02001002:system library:fopen:No such file or directory:
bss_file.c:276:fopen('herong.srl','rb')
2744:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
"OpenSSL" will try to open a file named "herong.srl". The error message is not clear at all.
It does not say that "herong.srl" is the serial number file.
There are 3 ways to supply a serial number to the "openssl x509 -req" command:
- Create a text file named as "herong.srl" and put a number in the file.
- Use the "-set_serial n" option to specify a number each time.
- Use the "-CAcreateserial -CAserial herong.seq" option to let "OpenSSL" to create and manage the serial number.
"keytool" Importing CA's Certificate into Keystore Files
When Maria receives my CA self-signed public key certificate file,
she needs to imported it into her keystore file with the "keytool -importcert" command
as shown below:
>keytool -importcert -alias herong_crt -keypass keypass
-file herong.crt -keystore maria.jks -storepass jkspass
Owner: EMAILADDRESS=herongyang.com, CN=Herong Yang,
OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY
Issuer: EMAILADDRESS=herongyang.com, CN=Herong Yang,
OU=HY Unit, O=HY Company, L=HY City, ST=HY State, C=HY
Serial number: 0
Valid from: Sun Apr 1:42:10 EDT 2007
until: Wed Mar 29 23:42:10 EDT 2017
Certificate fingerprints:
MD5: 2D:95:8D:5F:0F:4A:9B:CC:A2:69:61:F6:22:AE...
SHA1: 1F:BB:C7:78:97:AC:C8:BF:7B:A4:88:DF:B5:62...
Signature algorithm name: MD5withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
...
[EMAILADDRESS=herongyang.com, CN=Herong Yang, OU=HY Unit,
O=HY Company, L=HY City, ST=HY State, C=HY]
SerialNumber: [ 00]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Notes on what Maria did:
- "keytool -importcert" commands imports a certificate into a keystore file.
- "-alias herong_crt" option specifies a new entry name for the imported certificate.
- "-keypass keypass" option specifies a password to protect this new entry.
- "-file herong.crt" option specifies the file name of certificate to be imported.
- "-keystore maria.jks -storepass jkspass" option specifies the keystore file name and its password.
- Maria entered "yes" when "keytool" asked to trust this certificate or not.
Want to see if the certificate was imported correctly or not?
Try this "keytool -list" command:
>keytool -list -keystore maria.jks -storepass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
maria_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 54:5A:E8:77:30:82:B4:EB:C...
herong_crt, Apr 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): C1:6C:FE:38:F7:0F:71:23:3...
As we can see, my CA certificate was imported ok and stored as a "trustedCertEntry".
So certificates generated by "OpenSSL" is compatible with "keytool" certificate format.
If Maria made a mistake when import my certificate, she could use this command
to delete my certificate from her keystore file:
>keytool -delete -alias herong_crt -keystore maria.jks
-storepass jkspass
Now Maria is ready to import her own public key certificate signed by me
as described in the next section.
(Continued on next part...)
Part:
1
2
3
4
5
6
|