PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool -certreq" - Generate CSR (Certificate Signing Request)

This section provides a tutorial example on how to use the 'keytool -certreq' command to generate a CSR from a given private/public key pair with a self-signed certificate stored in a KeyStore file.

In the this tutorial, I want to generate a Generate CSR (Certificate Signing Request) from my self-signed certificate and its private/public key pair.

1. Generate a CSR from a given key entry in a KeyStore file.

herong$ keytool -certreq -alias my_home -file my_home.csr \
  -keystore herong.jks -storepass HerongJKS

2. Look at the CSR.

herong$ more my_home.csr 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBlDCCARsCAQAwbDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE15IFN0YXRlMRAw
DgYDVQQHEwdNeSBDaXR5MRAwDgYDVQQKEwdNeSBIb21lMRAwDgYDVQQLEwdNeSBV
...
KB3l6UEs8bGXLB65R/2NpiSbwlkRogMB
-----END NEW CERTIFICATE REQUEST-----

3. Print out information from the CSR.

herong$ keytool -printcertreq -file my_home.csr

PKCS #10 Certificate Request (Version 1.0)
Subject: CN=Herong Yang, O=My Home, L=My City, ST=My State, C=US
Format: X.509
Public Key: 384-bit EC (secp384r1) key
Signature algorithm: SHA384withECDSA

Extension Request:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 38 B5 80 C8 FD 32 A1 FC   DB 3F 3C 88 63 45 3D D1  
0010: 42 2D 2E AC                                        
]
]

My CSR file is ready to be sent to a CA (Certificate Authority) for signing.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

►Java "keytool" Commands and KeyStore Files

 What Is Java KeyStore File?

 "keytool" - Key and Certificate Management Tool

 "keytool -genkeypair" - Generate Key with Self-Signed Certificate

 "keytool -export/import" - Export and Import Certificates

 "keytool -keyclone" - Clone Self-Signed Certificate with New Identity

►"keytool -certreq" - Generate CSR (Certificate Signing Request)

 "keytool -gencert" - Sign CSR with CA certificate

 "keytool -gencert -ext" - Sign CSR with X.509 Extensions

 Export Key Pair using "keytool -importkeystore"

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"keytool -certreq" - Generate CSR (Certificate Signing Request) - Updated in 2024, by Herong Yang