Generating Certificate Signing Request (CSR)

This section provides a tutorial example on how to generate a private and public key pair for the domain name of a Web server and generate the Certificate Signing Request (CSR) asking a CA to sign the pubic key into a server certificate using JDK keytool command.

With the domain name added to CAcert, I should be able to get a free server certificate now.

1. Go to CAcert.org and "Password Login" to my account.

2. Click "New" under the "Server Certificate" menu. The "CSR (Certificate Signing Request)" page shows up:

Submit Certificate Signing Request to CAcert.org
Submit Certificate Signing Request to CAcert.org

3. Use JDK keytool to generate a private and public key pair. The CSR is a request asking the CA to sign your public key into a certificate. So if you do not have a private and public key pair, you should generate one.

herong> keytool -genkey -alias herongyang.com \
   -keystore herong.jks -storepass HerongJKS

What is your first and last name?
  [Unknown]:  herongyang.com
What is the name of your organizational unit?
  [Unknown]:  herongyang.com
What is the name of your organization?
  [Unknown]:  herongyang.com
What is the name of your City or Locality?
  [Unknown]:  L
What is the name of your State or Province?
  [Unknown]:  ST
What is the two-letter country code for this unit?
  [Unknown]:  C
Is CN=herongyang.com, OU=herongyang.com, O=herongyang.com, L=L, ST=ST, C=C
correct?
  [no]:  yes

Enter key password for <herongyang.com>
        (RETURN if same as keystore password): <Return>

4. Use JDK keytool to generate CSR from the private and public key pair:

herong> keytool -certreq -alias herongyang.com \
   -keystore herong.jks -storepass HerongJKS -file herongyang_com.csr

5. Open the CSR file, herongyang_com.csr, in a text editor:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICeTCCAjcCAQAwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlBBMQ4wDAYDVQQHEw...
...
-----END NEW CERTIFICATE REQUEST-----

Now, I have my own private key and public pair for my Web server, herongyang.com, stored in KeyStore file, herong.jks. I also have a CSR (Certificate Signing Request) stored in herongyang_com.csr ready to send to any CA to sign into a server certificate.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

 macOS Certificate Stores and Keychain Access

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 .NET Programs Communicating with HTTPS Servers

CAcert.org - Root CA Offering Free Certificates

 About CAcert.org

 Join CAcert.org as a Member

 Installing CAcert.org Root CA in Firefox

 Installing CAcert.org Root CA in IE

 Adding and Validating Domain Names

Generating Certificate Signing Request (CSR)

 Getting Server Certificate Signed by CAcert.org

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Archived Tutorials

 References

 Full Version in PDF/EPUB