OpenSSL "x509 -req" - Quick Way to Sign CSR
Q
How to sign a CSR with OpenSSL "x509" command? I want a quick way to sign a CSR without setting the OpenSSL "ca" command.
✍: FYIcenter.com
A
Normally, you should set up OpenSSL "ca" command to sign a CSR.
But if you want quick alternative, you can use the "x509" command to sign a CSR
as shown in the test below:
C:\Users\fyicenter>\local\OpenSSL\openssl
OpenSSL> req -in my_rsa.csr -subject -noout
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc/emailAddres
s=john@donald.inc
OpenSSL> req -in my_rsa.csr -verify -noout
verify OK
OpenSSL> x509 -req -in my_rsa.csr -CA my_ca.crt -CAkey my_ca.key -out my_rsa.crt
-set_serial 2000
Signature ok
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc/emailAddres
s=john@donald.inc
Getting CA Private Key
Enter pass phrase for my_ca.key:fyicenter
OpenSSL> x509 -in my_rsa.crt -subject -noout
subject= /C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc
/emailAddress=john@donald.inc
OpenSSL> x509 -in my_rsa.crt -issuer -noout
issuer= /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security/CN=FYIcenter Root CA
/emailAddress=root-ca@fyicenter.com
Notes about the test:
- "req -in my_rsa.csr -verify" command is used to verify the CSR.
- "x509 -req -in my_rsa.csr ..." command is used to certify and sign the CSR with my CA certificate (given in the -CA option) and CA private key (given in the -CAkey option).
- "x509 -in my_rsa.crt -issuer" command is used to confirm that the new certificate has the correct issuer DN fields.
⇒ OpenSSL "x509 -req" - Error "my_ca.srl: No error"
2018-02-01, 1006👍, 0💬
Related Topics: