PKI Certificate Tutorials - Herong's Tutorial Examples

∟Java "keytool" Commands and KeyStore Files

∟"keytool -gencert -ext" - Sign CSR with X.509 Extensions

This section provides a tutorial example on how to use the 'keytool -gencert' command to sign a CSR with a self-signed root CA certificate and its private/public key pair.

In different types of PKI applications, certificates are required to have some specific X.509 extensions. In this tutorial, let's try to add X.509 extensions while signing a CSR.

1. Add X.509 extensions to the root CA certificate.

herong$ keytool -selfcert -alias my_root \
  -ext BasicConstraints:critical=ca:true \
  -ext keyUsage:critical=digitalSignature,cRLSign,keyCertSign \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -exportcert -alias my_root -rfc \
  -file my_root.pem \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -printcert -file my_root.pem

  Owner: CN=ZZ Root CA, C=ZZ
  Issuer: CN=ZZ Root CA, C=ZZ
  ...
  Extensions: 

  #1: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:true
    PathLen: no limit
  ]

  #2: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
  ]
  ...

2. Add X.509 extensions to an intermediate CA certificate.

herong$ keytool -genkeypair -keyalg ec -alias my_intermediate \
  -dname "cn=ZZ Intermediate CA, c=ZZ" \
  -keystore herong.jks -storepass HerongJKS

  Generating 384 bit EC (secp384r1) key pair and self-signed 
  certificate (SHA384withECDSA) with a validity of 90 days
    for: CN=ZZ Intermediate CA, C=ZZ

herong$ keytool -certreq -alias my_intermediate \
  -file my_intermediate.csr \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -gencert -infile my_intermediate.csr \
  -outfile my_intermediate.pem -rfc -alias my_root \
  -ext BasicConstraints:critical=ca:true,pathlen:0 \
  -ext keyUsage:critical=digitalSignature,cRLSign,keyCertSign \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -printcert -file my_intermediate.pem

  Owner: CN=ZZ Intermediate CA, C=ZZ
  Issuer: CN=ZZ Root CA, C=ZZ
  ...

  Extensions: 

  #2: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:true
    PathLen:0
  ]

  #3: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
  ]

  ...

3. Add X.509 extensions to a Web server certificate.

herong$ keytool -genkeypair -keyalg ec -alias my_server \
  -dname "cn=herongyang.com, c=ZZ" \
  -keystore herong.jks -storepass HerongJKS

  Generating 384 bit EC (secp384r1) key pair and self-signed 
  certificate (SHA384withECDSA) with a validity of 90 days
    for: CN=herongyang.com, C=ZZ

herong$ keytool -certreq -alias my_server \
  -file my_server.csr \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -gencert -infile my_server.csr \
  -outfile my_server.pem -rfc -alias my_root \
  -ext BasicConstraints:=ca:false \
  -ext keyUsage:critical=digitalSignature,keyEncipherment \
  -ext ExtendedKeyUsage=serverAuth \
  -ext SAN=DNS:herongyang.com,DNS:www.herongyang.com \
  -keystore herong.jks -storepass HerongJKS

herong$ keytool -printcert -file my_server.pem

  Owner: CN=herongyang.com, C=ZZ
  Issuer: CN=ZZ Root CA, C=ZZ
  ...

  Extensions: 

  #2: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
    CA:false
    PathLen: undefined
  ]

  #3: ObjectId: 2.5.29.37 Criticality=false
  ExtendedKeyUsages [
    serverAuth
  ]

  #4: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
    DigitalSignature
    Key_Encipherment
  ]

  #5: ObjectId: 2.5.29.17 Criticality=false
  SubjectAlternativeName [
    DNSName: herongyang.com
    DNSName: www.herongyang.com
  ]

Not that if your Web server is using an IP address, you need to use the "IP:" prefix in the "SAN (subjectAltName)" extension like:

  -ext SAN=DNS:herongyang.com,IP:127.0.0.1 \

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

►Java "keytool" Commands and KeyStore Files

 What Is Java KeyStore File?

 "keytool" - Key and Certificate Management Tool

 "keytool -genkeypair" - Generate Key with Self-Signed Certificate

 "keytool -export/import" - Export and Import Certificates

 "keytool -keyclone" - Clone Self-Signed Certificate with New Identity

 "keytool -certreq" - Generate CSR (Certificate Signing Request)

 "keytool -gencert" - Sign CSR with CA certificate

►"keytool -gencert -ext" - Sign CSR with X.509 Extensions

 Export Key Pair using "keytool -importkeystore"

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"keytool -gencert -ext" - Sign CSR with X.509 Extensions - Updated in 2024, by Herong Yang