All geek questions in one place

Java question about certificate signing process

I got confused in the process of creating a valid CA signed certificate in java.
I know that java has a tool keytoolfor creating public and private keys and certificates.
It also supports JKS and PKCS # 12.
Thus, you can create a keystore with a public key and a certificate, for example,
keytool -genkey -keyalg RSA -alias aCert -keystore someKeystore.keystore This will create a keystore with a certificate (self-signed).
I still understand.
I can export a certificate for a csr request to send to CA, for example. Verisign, without a secret key, of course.
After this part, I lost.
Will CA sign it and will I have to re-import it into the keystore? Will this replace the original certificate already in the keystore?

It will still be self-signed. Should the issuer be the CA itself? But then how is this possible? Am I just sending a public key, not a certificate?
Any help on cleaning the process, please?
UPDATE :
Is the CA a signature of a certificate (e.g. Verisign) also an issuer? Or can he sign a certificate that issuer==subject?
Thanks

+3
source share
2 answers

You thought correctly of creating a CSR. You will use something like this:

$ keytool -certreq -alias myalias -file myalias.csr -keystore keystore

to create a CSR that contains:

  • your public key (extracted from a self-signed certificate)
  • (.. , )

. CA :

  • subject = DN ( CSR, , )
  • issuer = CA DN
  • = CSR

, :

$ keytool -import -alias myalias -keystore keystore -file myalias.crt

, , ; :

$ keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore keystore

: keytool ( "" , , ):

keytool "" , "" . , .

(. -genkey), - . , () , (, ). , -genkey / , .

, (CSR) (. -certreq) (CA), (. "" ) . (), , . - , CA.

+6

, CA , . == subject. , , , , , ... , , .

+2

Source: https://habr.com/ru/post/1795325/

More articles:


All Articles