The OpenSSL Project has developed a open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security TLS (v1) protocols as well as a full-strength general purpose cryptography library.

OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

The OpenSSL toolkit can be used to generate the keys that a web server (e.g. Apache) needs to encrypt the data sent between the client (browser) and the web server.
A simple overview of this process can be found here below:
  • A client browser connects to the Apache HTTP server via a Web request.

  • The browser asks to start a secure session with the server.

  • The server returns the site's certificate (= mobilefish.com_cert.pem) which also includes the server public key.

  • The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).

  • The browser creates a session key, which is encrypted with the server's public key, which is then sent to the server. This public or asymmetric key is generally 1024 bits. Much stronger public keys of 2048 bits could be provided but, perhaps for performance reasons, these are not in general use.

  • The server then decrypts this information using its private key (mobilefish.com_key.pem).

  • Both the browser and the server now are using the same session key. This is a symmetric key used to encrypt and decrypt data exchanged by the browser and server. Browsers and servers usually negotiate the strongest mutually supported session. This means that if the user's browser and your Web server both support 128-bit SSL sessions, a 128-bit session is established. If the user's browser only supports 40-bit SSL sessions, then a 40-bit session is established even if your Web server supports 128-bit sessions.

More information about the OpenSSL Project can be found at:

The latest OpenSSL version (no binary distributions) can be downloaded from:

Links to OpenSSL binary distributions can be found at:

How to sign a certificate request by you own CA.


Operating system used
Windows XP Home Edition Version 5.1 SP 2

Software prerequisites
OpenSSL v0.9.7d or higher

  1. First follow guide "Create your own Root Certification Authority (CA) certificate".
    You need a Root CA certificate first.

  2. You also need a client certificate request. In this example the client certificate request is a file called storereq.pem. This file has been created by the keytool utililty.

    Note: You can also use the openssl command to create your own certificate request.
    See quick guide: "Command examples".

  3. Copy storereq.pem to C:\Tools\openssl\bin

  4. Open a dos window and goto OpenSSL bin directory:
    e.g.: cd C:\Tools\openssl\bin

  5. To display the content of storereq.pem, type:

    C:\Tools\OpenSSL\bin>openssl req -noout -text -in storereq.pem

    You should see the following:

    Certificate Request:
          Version: 0 (0x0)
          Subject: C=NL, ST=Noord-Holland, L=Zaandam,,
          OU=Research and Development,
          Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                Modulus (1024 bit):

  6. Please check if file "C:\Tools\OpenSSL\bin\demoCA\serial" exists. This file holds the CA's serial numbers (= sequence numbers). If this file does not exists, create it:

    C:\Tools\OpenSSL\bin>echo 00 > demoCA/serial

    Note: Each time the CA signs a certificate request, the sequence number is increased by 1 in file demoCA/serial.

  7. Please check if the following files exists:

    • C:\Tools\OpenSSL\bin\demoCA\index.txt.attr.old
    • C:\Tools\OpenSSL\bin\demoCA\index.txt.old
    • C:\Tools\OpenSSL\bin\demoCA\serial.old

    If any of these files exists, delete them.

  8. The certificate request can now be signed, type:

    Note: The files cakey.pem and cacert.pem were previously created in quick guide
    "Create your own Root Certification Authority (CA) certificate".

    C:\Tools\OpenSSL\bin>openssl ca -in storereq.pem -out store_1_cert.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem

    You should see:

    Using configuration from C:\Tools\OpenSSL\bin\openssl.cnf
    Loading 'screen' into random state - done
    Enter pass phrase for demoCA/private/cakey.pem:
    DEBUG[load_index]: unique_subject = "no"
    Check that the request matches the signature
    Signature ok
    Certificate Details:
       Serial Number: 15 (0xf)
          Not Before: Jul 13 18:53:32 2005 GMT
          Not After : Jul 13 18:53:32 2006 GMT
          countryName = NL
          stateOrProvinceName = Noord-Holland
          organizationName =
          organizationalUnitName = Research and Development
          commonName =
       X509v3 extensions:
          X509v3 Basic Constraints:
          Netscape Comment:
             OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
          X509v3 Authority Key Identifier:
             OU=Certification Services/ CA/

    Certificate is to be certified until Jul 13 18:53:32 2006 GMT (365 days)
    Sign the certificate? [y/n]:

    1 out of 1 certificate requests certified, commit? [y/n] y
    Write out database with 1 new entries
    Data Base Updated

  9. File store_1_cert.pem is created containing the signed certificate.

  10. To verify that the client certificate was signed by the Root CA, type:

    C:\Tools\OpenSSL\bin>openssl verify -CAfile demoCA/cacert.pem store_1_cert.pem

    You should see:

    store_1_cert.pem: OK

  11. The next step is to convert store_1_cert.pem into file certificate store_2_cert.pem containing the following data:

    The data (incl. the header) between
    "-----BEGIN CERTIFICATE-----"
    "-----END CERTIFICATE-----"
    of file store_1_cert.pem.

    This is done as follow:

    C:\Tools\OpenSSL\bin>openssl x509 -in store_1_cert.pem -out store_2_cert.pem

  12. Before you can import the certificate into the keystore it must be converted first into a PKCS#7 file.

    C:\Tools\OpenSSL\bin>openssl crl2pkcs7 -nocrl -certfile store_2_cert.pem -certfile demoCA/cacert.pem -outform DER -out cert.p7c

  13. File cert.p7c is created containing the two certificates data.

  14. The file cert.p7c can now be used to sign jar files. You need to import cacert.pem and cert.p7c into your keystore first. This is explained in the quick guide keytool.