PKI Tutorials - Herong's Tutorial Examples - Version 2.03, by Dr. Herong Yang
Verifying Requester's Email Address
This section provides a tutorial example on how to generate a CSR (Certificate Signing Request) using the JDK 'keytool' command.
Now it's my turn to verify Amy's identity and issue her a personal certificate.
Step 3 - Herong, as the CA administrator, reviews Amy's CSR file and verifies her identity.
To review Amy's CSR, I need to use a different tool called OpenSSL. JDK 'keytool' command is not good enough. Read my "Cryptography Tutorials - Herong's Tutorial Examples" book on how to install OpenSSL if you need help.
Here is the OpenSSL command I used to view Amy's CSR:
C:\herong>\local\gnuwin32\bin\openssl req -noout -text -in amy_xyz_com.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CNemail@example.com Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: 00:ef:b5:66:2e:45:9c:28:c1:34:fc:ad:f7:e7:b8: ... Attributes: a0:00 Signature Algorithm: dsaWithSHA1 30:2c:02:14:5d:34:8f:30:77:ee:9a:7d:b7:de:8e:e2:67:5a: 34:b0:04:7c:6d:22:02:14:11:a4:4d:52:ea:61:8a:d3:bf:80: 6f:28:a6:a2:15:24:c6:1d:6f:06
Since I am planning to issue Amy a Class 1 certificate, I only need to verify her email address, which is the CN attribute of the Subject.
So I send Amy a verification email to firstname.lastname@example.org. If she can reply from that email address, then verification is done.
Last update: 2011.
Table of Contents