PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Generating CSR for a Personal Certificate
This section provides a tutorial example on how to generate a CSR for a personal certificate on an email address with the JDK keytool command.
So how can I get a free personal certificate that can be validated up to a trusted root CA? The answer is go to CAcert.org and get a personal certificate.
1. Go to CAcert.org and "Password Login" to my account with IE 8.
2. Click "New" under the "Client Certificate" menu. Client certificate is really a personal certificate in CAcert.org's term. The "New Client Certificate" page shows up:
3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.
herong> keytool -genkey -alias herong_yang@yahoo.com \ -keystore herong.jks -storepass HerongJKS What is your first and last name? [Unknown]: herong_yang@yahoo.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=herong_yang@yahoo.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <herong_yang@yahoo.com> (RETURN if same as keystore password): <Return>
4. Use JDK keytool to generate CSR from the private and public key pair:
herong> keytool -certreq -alias herong_yang@yahoo.com \ -keystore herong.jks -storepass HerongJKS \ -file herong_yang_yahoo_com.csr
5. Open the CSR file, herong_yang_yahoo_com.csr, in a text editor:
-----BEGIN NEW CERTIFICATE REQUEST----- MIICfzCCAj0CAQAwejEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bj... ... -----END NEW CERTIFICATE REQUEST-----
Now, I have my own private key and public pair for my email address, herong_yang@yahoo.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herong_yang_yahoo_com.csr ready to send to any CA to sign into a client certificate.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
►Digital Signature - OpenOffice.org 3
OpenOffice.org 3 - Applying Digital Signatures
Converting KeyStore Files to PKCS12 Files
Importing Private-Public Key Pair with Internet Options
Viewing a Certificate with a Private Key
Importing CA Certificates into the Trusted Store
Signing OpenOffice.org 3 Document Failed
►Generating CSR for a Personal Certificate
Getting Personal Certificate Signed by CAcert.org
Storing Personal Certificate with Its Keys
Installing Personal Certificate with Internet Options
Signing OpenOffice.org 3 Document Worked