Creating a Certificate Signing Request (CSR)

Download java development kit(JDK) software and install it in your system. Add the bin directory of JDK installation to you system environment variable path. Now keytool command can be accessed from anywhere in the system folder.

Open command prompt and change your directory to say following location.

Now we will create a keystore using keytool utility provided by JDK

Use following command to create a keystore client.jks

keytool -genkey -dname "CN=example.com, OU=SSPL OU, O=SSPL, ST=Maharashtra, C=IN" -validity 365 -alias clientcls  -keystore client.jks

Enter keystore password:

Re-enter new password:

Enter key password for

        (RETURN if same as keystore password):

Keystore password entered is: test123

Some parts of the subject DN must match the values in the CA certificate (specified in the CA Policy section of the openssl.cnf file).

The default openssl.cnf file requires the following entries to match:

Country Name (C)

State or Province Name (ST)

Organization Name (O)

NOTE THAT

If you do not observe the constraints, the OpenSSL CA will refuse to sign the certificate

Create a new certificate signing request (CSR) for the client.jks certificate as follows:

Use the following command to generate CSR

keytool -certreq -alias clientcls -file ClientCertificate_csr.pem -keystore client.jks

Enter keystore password  as test123

Note also that alias is clientcls which we have used while creating a keystore client.jks

Above command will generate a csr file named as ClientCertificate_csr.pem

 Content of ClientCertificate_csr.pem

-----BEGIN NEW CERTIFICATE REQUEST-----

MIICXzCCAh0CAQAwWjELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJhMQ0wCwYDVQQK

EwRTU1BMMRAwDgYDVQQLEwdTU1BMIE9VMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCAbgwggEsBgcq

hkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6

v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPF

HsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfh

oIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88J

MozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2Ze

gHtVJWQBTDv+z0kqA4GFAAKBgQC7lgoimVAL4UcigXU0moV+F21y5hFy1IxpbFXneOVBTNtTVEBK

/HHnXqqOZY/zt4pZAzxREznd6N8OQ/jMiQloCqdBbkBJB/wFBBQWu2LNje1w9xeBCXxTHZCDHPIS

MmSvXBle8Ea8Dx4XHc/YElj2Mh+nJJrjbD3z7LD75Rky3KAAMAsGByqGSM44BAMFAAMvADAsAhRB

e3g6WqpdjFl7n9W92kXDEUe4IgIUWDagaMduPq+qx2/jsfjfFdrgxXU=

-----END NEW CERTIFICATE REQUEST-----

We will send CSR file ClientCertificate_csr.pem to the CA to sign