"keytool -gencert" Command Examples - Sign CSR
Q
How to use the "keytool -gencert" command? I received a CSR (Certificate Signing Request) file and want to sign it with my private key to generate a certificate.
✍: FYIcenter.com
A
Here is an example of using "keytool -gencert" command to sign a CSR (Certificate Signing Request) with a private key
C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -gencert
-storepass FYIcenter -alias mykey -infile 2nd_cert_req.csr
-outfile 2nd_cert_signed.pem -rfc
C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -printcert
-file 2nd_cert_signed.pem
Owner: CN=jar.fyicenter.com
Issuer: CN=www.fyicenter.com
Serial number: 49471fd5
Valid from: Sat Jul 14 22:13:07 EDT 2012 until: Fri Oct 12 22:13:07 EDT 2012
Certificate fingerprints:
MD5: 77:17:3C:5A:9D:A4:3C:46:CA:48:76:19:9F:3A:3C:85
SHA1: 84:BB:46:36:12:75:9F:7C:02:BF:3B:D1:FA:83:74:4C:58:2D:5D:81
SHA256: 0F:95:C0:66:86:13:87:E1:B8:A9:A5:73:EF:72:E5:A6:73:AD:9B:51:72:
0F:8C:52:C9:EE:8B:2A:70:2E:56:33
Signature algorithm name: SHA1withDSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 4E 3E 90 DA 45 A2 A0 91 96 62 F5 07 19 2C A3 .N>..E....b...,.
0010: 48 AF 0B 0B H...
]
]
#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 5C D2 77 D4 D0 3A B9 33 B0 1B EE F8 2D 84 87 r\.w..:.3....-..
0010: 32 58 2B DB 2X+.
]
]
What the "keytool -gencert" command shown above did for you:
- Open the default keystore file in your home folder: C:\Users\fyicenter\.keystore.
- Read the private key of "www.fyicenter.com" stored in the "mykey" entry of the keystore.
- Open the CSR (Certificate Signing Request) file: 2nd_cert_req.csr to get the public key of "jar.fyicenter.com".
- Generate a digital signature for the public key of "jar.fyicenter.com" with private key of "www.fyicenter.com".
- Save the public key and the digital signature as signed certificate in "2nd_cert_signed.pem" for "jar.fyicenter.com".
2012-07-21, 14601👍, 0💬