PKI Tutorials - Herong's Tutorial Examples - Version 2.10, by Dr. Herong Yang
Signing a CSR into a Certificate
This section provides a tutorial example on how to sign a CSR (Certificate Sign Request) into a certificate using OpenSSL 'x509' command.
This time, I am truly ready to sign Amy's CSR into a personal certificate using the OpenSSL "x509" command:
C:\herong>\local\gnuwin32\bin\openssl x509 -req -in amy_xyz_com.csr -CAkey herong_key.pem -CA herongyang_com.crt -out amy_xyz_com.crt -days 365 -set_serial 123 Loading 'screen' into random state - done Signature ok subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown /CN=amy@xyz.com Getting CA Private Key Enter pass phrase for herong_key.pem: HerongKey
I think Amy's certificate is ready:
C:\herong>type amy_xyz_com.crt -----BEGIN CERTIFICATE----- MIICtzCCAncCAXswCQYHKoZIzjgEAzAZMRcwFQYDVQQDEw5oZXJvbmd5YW5nLmNv ... merfPgsCFHiRRBO1K9KKiT+J4t+r39BOUaja -----END CERTIFICATE-----
To view what's in Amy's certificate:
C:\herong>\local\gnuwin32\bin\openssl x509 -in amy_xyz_com.crt -noout
-text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 123 (0x7b)
Signature Algorithm: dsaWithSHA1
Issuer: CN=herongyang.com
Validity
...
Subject: C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown,
CN=amy@xyz.com
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
00:ef:b5:66:2e:45:9c:28:c1:34:fc:ad:f7:e7:b8:
...
Signature Algorithm: dsaWithSHA1
30:2c:02:14:65:b2:65:5d:77:c8:70:d7:3e:8f:5f:6c:fc:f9:
1f:99:ea:df:3e:0b:02:14:78:91:44:13:b5:2b:d2:8a:89:3f:
89:e2:df:ab:df:d0:4e:51:a8:da
What's next is to send Amy's certificate to amy@xyz.com. I should also send her my certificate and CAcert.org certificate, so that certificate can be validated in a certificate chain.
Congratulations, we have successfully completed all steps of issuing a Class 1 personal certificate to amy@xyz.com!
Last update: 2011.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Windows Certificate Stores and Console
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
►PKI CA Administration - Issuing Certificates
Requesting and Signing Personal Certificate
Generating a Private-Public Key Pair for Amy
Generating a CSR (Certificate Signing Request)
Verifying Requester's Email Address
Exporting a Private Key from a KeyStore File
►Signing a CSR into a Certificate
Importing Certificate Reply Back to KeyStore
"bad decrypt:./crypto/evp/evp_enc.c:461" Error
Requesting and Signing Server Certificate
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3