OpenSSL "x509 -req" - Quick Way to Sign CSR


How to sign a CSR with OpenSSL "x509" command? I want a quick way to sign a CSR without setting the OpenSSL "ca" command.



Normally, you should set up OpenSSL "ca" command to sign a CSR. But if you want quick alternative, you can use the "x509" command to sign a CSR as shown in the test below:


OpenSSL> req -in my_rsa.csr -subject -noout
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/

OpenSSL> req -in my_rsa.csr -verify -noout
verify OK

OpenSSL> x509 -req -in my_rsa.csr -CA my_ca.crt -CAkey my_ca.key -out my_rsa.crt
    -set_serial 2000
Signature ok
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/
Getting CA Private Key
Enter pass phrase for my_ca.key:fyicenter

OpenSSL> x509 -in my_rsa.crt -subject -noout
subject= /C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/

OpenSSL> x509 -in my_rsa.crt -issuer -noout
issuer= /C=US/ST=TX/L=City/ Root CA 

Notes about the test:

  • "req -in my_rsa.csr -verify" command is used to verify the CSR.
  • "x509 -req -in my_rsa.csr ..." command is used to certify and sign the CSR with my CA certificate (given in the -CA option) and CA private key (given in the -CAkey option).
  • "x509 -in my_rsa.crt -issuer" command is used to confirm that the new certificate has the correct issuer DN fields.


OpenSSL "x509 -req" - Error " No error"

OpenSSL "req -verify" - Error "wrong signature length"

OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2018-02-01, 2338🔥, 0💬