Cryptography Tutorials - Herong's Tutorial Examples - Version 5.35, by Dr. Herong Yang
Signing a Certificate Signing Request
This section provides a tutorial example on how to sign someone else's certificate signing request with your self-signed certificate.
Even though I am not a well established CA, but I can still use OpenSSL to sign somebody else's certificate. The following process shows you how Herong Yang signs John Smith's certificate:
>echo generating a key pair for John >openssl genrsa -out john_rsa.key Loading 'screen' into random state - done Generating RSA private key, 512 bit long modulus ..................++++++++++++ .++++++++++++ e is 65537 (0x10001) >echo generating the certificate signing request for John >openssl req -new -key john_rsa.key -out john.csr -config openssl.cnf You are about to be asked to enter information that will be incorp... into your certificate request. What you are about to enter is what is called a Distinguished Name... There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) :CN State or Province Name (full name) :PN Locality Name (eg, city) :LN Organization Name (eg, company) :ON Organizational Unit Name (eg, section) :UN Common Name (eg, YOUR name) :John Smith Email Address :. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :. An optional company name :. >echo signing John's request with Herong's certificate and key >openssl x509 -req -in john.csr -CA herong.crt -CAkey herong_rsa_des.key -out john.crt Loading 'screen' into random state - done Signature ok subject=/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith Getting CA Private Key Enter pass phrase for herong_rsa_des.key: >echo looking at John's certificate >openssl x509 -in john.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 5 (0x5) Signature Algorithm: md5WithRSAEncryption Issuer: C=CN, ST=PN, L=CN, O=ON, OU=UN, CN=Herong Yang Validity Not Before: Jul 17 03:10:39 2002 GMT Not After : Aug 16 03:10:39 2002 GMT Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=John Smith Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:d4:a4:be:ce:2d:be:88:56:ef:d3:de:13:15:33: 59:84:ea:08:fe:bc:c8:70:93:30:c0:c4:c5:de:e3: 65:e8:98:e1:15:12:27:d4:00:69:6e:22:fa:c3:72: 4a:75:a6:d8:66:dc:ec:12:f6:92:94:09:3c:3a:61: 69:47:99:b3:91 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 57:a5:9f:93:8e:f8:69:cd:9b:70:ff:f5:fc:78:e3:f6:da:70: b9:5d:d6:a8:ac:ae:76:41:13:04:99:28:97:55:9b:5e:94:c7: c5:59:26:77:33:cb:67:aa:1c:d5:0e:b7:de:33:73:b1:f6:3a: 0b:c2:d9:6a:5b:f1:d1:ab:60:9b
This is nice. Now I can sign anyone's certificate, and become a CA! All I need is my RSA key pair, herong_rsa_des.key, my self-signed certificate, herong.crt, and the "x509" command.
Last update: 2013.
Table of Contents