Signing a CSR into a Certificate

This section provides a tutorial example on how to sign a CSR (Certificate Sign Request) into a certificate using OpenSSL 'x509' command.

This time, I am truly ready to sign Amy's CSR into a personal certificate using the OpenSSL "x509" command:

C:\herong>\local\gnuwin32\bin\openssl x509 -req -in amy_xyz_com.csr 
   -CAkey herong_key.pem -CA herongyang_com.crt -out amy_xyz_com.crt 
   -days 365 -set_serial 123

Loading 'screen' into random state - done
Signature ok
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown
   /CN=amy@xyz.com
Getting CA Private Key
Enter pass phrase for herong_key.pem: HerongKey

I think Amy's certificate is ready:

C:\herong>type amy_xyz_com.crt

-----BEGIN CERTIFICATE-----
MIICtzCCAncCAXswCQYHKoZIzjgEAzAZMRcwFQYDVQQDEw5oZXJvbmd5YW5nLmNv
...
merfPgsCFHiRRBO1K9KKiT+J4t+r39BOUaja
-----END CERTIFICATE-----

To view what's in Amy's certificate:

C:\herong>\local\gnuwin32\bin\openssl x509 -in amy_xyz_com.crt -noout 
  -text

Certificate:
  Data:
    Version: 1 (0x0)
    Serial Number: 123 (0x7b)
    Signature Algorithm: dsaWithSHA1
    Issuer: CN=herongyang.com
    Validity
      ...
    Subject: C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown,
    CN=amy@xyz.com
    Subject Public Key Info:
      Public Key Algorithm: dsaEncryption
      DSA Public Key:
          pub:
              00:ef:b5:66:2e:45:9c:28:c1:34:fc:ad:f7:e7:b8:
          ...  
  Signature Algorithm: dsaWithSHA1
    30:2c:02:14:65:b2:65:5d:77:c8:70:d7:3e:8f:5f:6c:fc:f9:
    1f:99:ea:df:3e:0b:02:14:78:91:44:13:b5:2b:d2:8a:89:3f:
    89:e2:df:ab:df:d0:4e:51:a8:da

What's next is to send Amy's certificate to amy@xyz.com. I should also send her my certificate and CAcert.org certificate, so that certificate can be validated in a certificate chain.

Congratulations, we have successfully completed all steps of issuing a Class 1 personal certificate to amy@xyz.com!

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

PKI CA Administration - Issuing Certificates

 Root CA and Intermediate CA

 Requesting and Signing Personal Certificate

 Generating a Private-Public Key Pair for Amy

 Generating a CSR (Certificate Signing Request)

 Verifying Requester's Email Address

 Exporting a Private Key from a KeyStore File

Signing a CSR into a Certificate

 Importing Certificate Reply Back to KeyStore

 "bad decrypt:./crypto/evp/evp_enc.c:461" Error

 Requesting and Signing Server Certificate

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version