DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows

"keytool -gencert" Command Examples - Sign CSR

Q

How to use the "keytool -gencert" command? I received a CSR (Certificate Signing Request) file and want to sign it with my private key to generate a certificate.

✍: FYIcenter.com

A

Here is an example of using "keytool -gencert" command to sign a CSR (Certificate Signing Request) with a private key 

C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -gencert 
-storepass FYIcenter -alias mykey -infile 2nd_cert_req.csr 
-outfile 2nd_cert_signed.pem -rfc

C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -printcert 
-file 2nd_cert_signed.pem

Owner: CN=jar.fyicenter.com
Issuer: CN=www.fyicenter.com
Serial number: 49471fd5
Valid from: Sat Jul 14 22:13:07 EDT 2012 until: Fri Oct 12 22:13:07 EDT 2012
Certificate fingerprints:
         MD5:  77:17:3C:5A:9D:A4:3C:46:CA:48:76:19:9F:3A:3C:85
         SHA1: 84:BB:46:36:12:75:9F:7C:02:BF:3B:D1:FA:83:74:4C:58:2D:5D:81
         SHA256: 0F:95:C0:66:86:13:87:E1:B8:A9:A5:73:EF:72:E5:A6:73:AD:9B:51:72:
0F:8C:52:C9:EE:8B:2A:70:2E:56:33
         Signature algorithm name: SHA1withDSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 4E 3E 90 DA 45 A2 A0   91 96 62 F5 07 19 2C A3  .N>..E....b...,.
0010: 48 AF 0B 0B                                        H...
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 5C D2 77 D4 D0 3A B9   33 B0 1B EE F8 2D 84 87  r\.w..:.3....-..
0010: 32 58 2B DB                                        2X+.
]
]

What the "keytool -gencert" command shown above did for you:

  • Open the default keystore file in your home folder: C:\Users\fyicenter\.keystore.
  • Read the private key of "www.fyicenter.com" stored in the "mykey" entry of the keystore.
  • Open the CSR (Certificate Signing Request) file: 2nd_cert_req.csr to get the public key of "jar.fyicenter.com".
  • Generate a digital signature for the public key of "jar.fyicenter.com" with private key of "www.fyicenter.com".
  • Save the public key and the digital signature as signed certificate in "2nd_cert_signed.pem" for "jar.fyicenter.com".

2012-07-21, 18913👍, 0💬

DH Keys DSA Keys EC Keys Firefox General Google Chrome IE (Internet Explorer) Intermediate CA Java VM JDK Keytool Microsoft CertUtil Mozilla CertUtil OpenSSL Other Portecle Publishers Revoked Certificates Root CA RSA Keys Tools Tutorial What Is Windows