OpenSSL "x509 -req" - Quick Way to Sign CSR

Q

How to sign a CSR with OpenSSL "x509" command? I want a quick way to sign a CSR without setting the OpenSSL "ca" command.

✍: FYIcenter.com

A

Normally, you should set up OpenSSL "ca" command to sign a CSR. But if you want quick alternative, you can use the "x509" command to sign a CSR as shown in the test below:

C:\Users\fyicenter>\local\OpenSSL\openssl

OpenSSL> req -in my_rsa.csr -subject -noout
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc/emailAddres
s=john@donald.inc

OpenSSL> req -in my_rsa.csr -verify -noout
verify OK

OpenSSL> x509 -req -in my_rsa.csr -CA my_ca.crt -CAkey my_ca.key -out my_rsa.crt
    -set_serial 2000
Signature ok
subject=/C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc/emailAddres
s=john@donald.inc
Getting CA Private Key
Enter pass phrase for my_ca.key:fyicenter

OpenSSL> x509 -in my_rsa.crt -subject -noout
subject= /C=us/ST=NY/L=New York/O=Donald Inc./OU=IT/CN=www.donald.inc
   /emailAddress=john@donald.inc

OpenSSL> x509 -in my_rsa.crt -issuer -noout
issuer= /C=US/ST=TX/L=City/O=FYIcenter.com/OU=Security/CN=FYIcenter Root CA 
   /emailAddress=root-ca@fyicenter.com

Notes about the test:

  • "req -in my_rsa.csr -verify" command is used to verify the CSR.
  • "x509 -req -in my_rsa.csr ..." command is used to certify and sign the CSR with my CA certificate (given in the -CA option) and CA private key (given in the -CAkey option).
  • "x509 -in my_rsa.crt -issuer" command is used to confirm that the new certificate has the correct issuer DN fields.

 

OpenSSL "x509 -req" - Error "my_ca.srl: No error"

OpenSSL "req -verify" - Error "wrong signature length"

OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2018-02-01, 712👍, 0💬