"keytool -gencert" Command Examples - Sign CSR

Q

How to use the "keytool -gencert" command? I received a CSR (Certificate Signing Request) file and want to sign it with my private key to generate a certificate.

✍: FYIcenter.com

A

Here is an example of using "keytool -gencert" command to sign a CSR (Certificate Signing Request) with a private key

C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -gencert 
-storepass FYIcenter -alias mykey -infile 2nd_cert_req.csr 
-outfile 2nd_cert_signed.pem -rfc

C:\Users\fyicenter>"\Program Files\java\jre7\bin\keytool" -printcert 
-file 2nd_cert_signed.pem

Owner: CN=jar.fyicenter.com
Issuer: CN=www.fyicenter.com
Serial number: 49471fd5
Valid from: Sat Jul 14 22:13:07 EDT 2012 until: Fri Oct 12 22:13:07 EDT 2012
Certificate fingerprints:
         MD5:  77:17:3C:5A:9D:A4:3C:46:CA:48:76:19:9F:3A:3C:85
         SHA1: 84:BB:46:36:12:75:9F:7C:02:BF:3B:D1:FA:83:74:4C:58:2D:5D:81
         SHA256: 0F:95:C0:66:86:13:87:E1:B8:A9:A5:73:EF:72:E5:A6:73:AD:9B:51:72:
0F:8C:52:C9:EE:8B:2A:70:2E:56:33
         Signature algorithm name: SHA1withDSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 94 4E 3E 90 DA 45 A2 A0   91 96 62 F5 07 19 2C A3  .N>..E....b...,.
0010: 48 AF 0B 0B                                        H...
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 72 5C D2 77 D4 D0 3A B9   33 B0 1B EE F8 2D 84 87  r\.w..:.3....-..
0010: 32 58 2B DB                                        2X+.
]
]

What the "keytool -gencert" command shown above did for you:

  • Open the default keystore file in your home folder: C:\Users\fyicenter\.keystore.
  • Read the private key of "www.fyicenter.com" stored in the "mykey" entry of the keystore.
  • Open the CSR (Certificate Signing Request) file: 2nd_cert_req.csr to get the public key of "jar.fyicenter.com".
  • Generate a digital signature for the public key of "jar.fyicenter.com" with private key of "www.fyicenter.com".
  • Save the public key and the digital signature as signed certificate in "2nd_cert_signed.pem" for "jar.fyicenter.com".

2012-07-21, 12347👍, 0💬