OpenSSL "x509 -x509toreq" - Conver Certificate to CSR

Q

How to convert a certificate to a CSR using OpenSSL "x509" command? I want to generate a CSR with the same information as my existing certificate.

✍: FYIcenter.com

A

You can convert a certificate to a CSR using the OpenSSL "x509 -x509toreq" command as shown below:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> x509 -x509toreq -in twitter.crt -signkey test.key -out twitter.csr
Getting request Private Key
Generating certificate request   

OpenSSL> req -in twitter.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: businessCategory=Private Organization/jurisdictionC=US/jurisdic
tionST=Delaware/serialNumber=4337446/street=Suite 900/street=1355 Market St/post
alCode=94103, C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter
Security, CN=twitter.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:08:98:fa:67:00:05:55:b6:0b:61:0e:1a:d7:
                    b5:8a:c1:cc:03:be:3c:17:fb:94:f7:d9:fa:4c:9f:
                    46:60:9c:6a:ad:7d:3a:e5:34:5a:12:b0:b2:0b:aa:
                    ec:96:e1:58:81:2f:ad:60:ab:47:93:69:e3:84:75:
                    53:c1:f9:0f:b9:46:ab:9e:ea:ab:18:98:8c:68:54:
                    08:51:65:43:1a:61:97:27:5c:5e:0f:15:e9:cd:16:
                    ab:dd:51:5b:76:2f:fc:d3:11:99:9d:d2:a6:3d:87:
                    02:75:e6:24:96:e2:04:3e:14:9c:fa:7e:b8:71:42:
                    37:00:b5:b0:8a:e2:33:95:8b:da:3f:fb:63:4d:37:
                    62:d5:1c:02:ea:30:7e:dc:0d:53:d5:d4:0b:b8:a3:
                    10:13:6d:1f:89:94:0b:6a:94:44:67:29:82:ad:e6:
                    d5:b0:52:fc:95:57:06:d6:d1:22:66:84:d3:92:2a:
                    02:c7:94:56:df:55:3f:c2:13:f2:7c:16:78:33:a1:
                    53:f7:77:97:5c:b7:96:05:d5:44:f4:bf:ef:83:22:
                    5d:7a:e6:8f:e4:ac:df:34:9e:b6:0f:0a:53:f0:1a:
                    db:71:37:69:92:f6:14:a9:1c:75:65:72:45:24:09:
                    3b:2c:6a:d7:b9:69:a5:dc:df:6d:9c:6b:fc:c6:a2:
                    5b:31
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6c:17:ca:f2:ac:76:97:be:07:d1:75:b2:24:06:6e:32:dc:c5:
         23:be:06:d9:09:7e:c3:06:2e:62:40:aa:6a:55:db:17:95:c7:
         5a:d4:f3:ab:7a:fe:26:30:4b:69:47:bd:43:9f:3c:8b:15:46:
         3f:4b:b9:c8:8b:1b:29:5e:08:77:e2:7e:6c:f4:31:e3:9e:6a:
         5a:5f:7d:6d:4a:70:de:a5:b4:ed:56:59:95:6b:3b:d9:08:cd:
         4e:ac:c3:f7:cb:8a:ac:ab:52:a6:10:14:c6:2b:fa:05:40:26:
         d6:8c:ec:d4:07:14:b7:8d:dd:9e:6f:86:fd:3d:32:dc:81:4f:
         c9:27

Options used in the "x509" commands are:

  • "-x509toreq" - Converts certificate from input to CSR to output.
  • "-in twitter.crt" - Read the certificate from the given input file.
  • "-signkey test.key" - Read the private key from the given file to sign the CSR.
  • "-out twitter.csr" - Write the output CSR to the given file.

One big advantage of using "x509 -x509toreq" command to convert a certificate to a new CSR to avoid re-entering all DN (Distinguished Name) field values. The new CSR will copy all DN fields from the certificate to the CSR. In other words, the CSR will have an identical subject as the certificate.

 

OpenSSL "x509" Command

⇒⇒OpenSSL Tutorials

2018-02-14, 632👍, 0💬