Lab 6 Exercise 4

Learn how to verify certificate chains.

Certificate chain (a.k.a. trust chain) consist of multiple certificates, whereas first 'link' is the certificate being verified, and the last 'link' (root) is some trusted certificate, usually issued by certification authority (CA).

Every certificate (except root) is signed with private key, whose corresponding public key is contained in the previous certificate. Root certificate may be -- and usually is -- self-signed.

4.1. Create root certificate.

We will need to emulate CA with private key and certificate.

CA private key (capriv.pem) is used to sign other certificates, also the root one that is self-signed.

CA certificate (cacert.pem) is used to verify the signature of the next certificate in the trust chain.

You should already know how to create a self-signed certificate (exercise 2).


  • Generate CA private key (capriv.pem) and trusted cretificate (cacert.pem).

4.2. Create a new certificate signing request for existing keypair.

You should have at least one key in your keystore (exercise 3). You also know how to create CSR using OpenSSL (exercise 2). We can do with KeyTool too:

    keytool -certreq -alias DemoKey -file DemoKey.csr -keystore demo.jks


  • Sign generated CSR with CA signing key (result: DemoCert.pem).


  • For serial number, just use any number, 2 works just fine for this task.

Certificate serial numbers are used for CRL and OCSP, and ideally serial number should be changed for every new certificate. So, you can increment it for every new certificate you create.

4.3. Import created certificate into the keystore.

    keytool -import -alias SignedByCA -file DemoCert.pem -keystore demo.jks

Now the keystore should contain your new certificate signed by CA. Make sure it is there (refer to exercise 2 for details).


  1. Verify imported certificate (refer to exercise 3 for details).


  • Is signature verification succeeded? Why?
Page edit