Generating Certificate Signing Request (CSR)

This section provides a tutorial example on how to generate a private and public key pair for the domain name of a Web server and generate the Certificate Signing Request (CSR) asking a CA to sign the pubic key into a server certificate using JDK keytool command.

With the domain name added to CAcert, I should be able to get a free server certificate now.

1. Go to CAcert.org and "Password Login" to my account.

2. Click "New" under the "Server Certificate" menu. The "CSR (Certificate Signing Request)" page shows up:
Submit Certificate Signing Request to CAcert.org

3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.

C:\herong>\local\jdk\bin\keytool -genkey -alias herongyang.com 
   -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  herongyang.com
What is the name of your organizational unit?
  [Unknown]:  herongyang.com
What is the name of your organization?
  [Unknown]:  herongyang.com
What is the name of your City or Locality?
  [Unknown]:  L
What is the name of your State or Province?
  [Unknown]:  ST
What is the two-letter country code for this unit?
  [Unknown]:  C
Is CN=herongyang.com, OU=herongyang.com, O=herongyang.com, L=L, ST=ST, C=C
correct?
  [no]:  yes

Enter key password for <herongyang.com>
        (RETURN if same as keystore password): <Return>

4. Use JDK keytool to generate CSR from the private and public key pair:

C:\herong>\local\jdk\bin\keytool -certreq -alias herongyang.com 
   -keystore herong.jks -storepass HerongJKS -file herongyang_com.csr

5. Open the CSR file, herongyang_com.csr, in a text editor:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICeTCCAjcCAQAwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlBBMQ4wDAYDVQQHEw...
...
-----END NEW CERTIFICATE REQUEST-----

Now, I have my own private key and public pair for my Web server, herongyang.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herongyang_com.csr ready to send to any CA to sign into a server certificate.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

CAcert.org - Root CA Offering Free Certificates

 About CAcert.org

 Join CAcert.org as a Member

 Installing CAcert.org Root CA in Firefox 3

 Installig CAcert.org Root CA in IE 8

 Adding and Validating Domain Names

Generating Certificate Signing Request (CSR)

 Getting Server Certificate Signed by CAcert.org

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version