OpenSSL "req -x509" - Sign My Own CSR

Q

Can I sign my own CSR with the OpenSSL "req -x509" command?

✍: FYIcenter.com

A

Yes, you can sign you own CSR (Certificate Sign Request) with the OpenSSL "req -x509" command as shown below. The result is a self-signed certificate. See the example below:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -newkey rsa:512 -keyout rsa_test.key -out rsa_test.csr
Generating a 512 bit RSA private key
........++++++++++++
.........++++++++++++
Enter PEM pass phrase:fyicenter
Verifying - Enter PEM pass phrase:fyicenter
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:us
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Donald Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.donald.inc
Email Address []:john@donald.inc

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:fyicenter
An optional company name []:DonaldInc

OpenSSL> req -x509 -in rsa_test.csr -key rsa_test.key -out rsa_test.crt
Enter pass phrase for rsa_test.key:fyicenter

OpenSSL> x509 -in rsa_test.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            86:3c:bb:2c:17:e7:65:84
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, 
                CN=www.donald.inc/emailAddress=john@donald.inc
        Validity
            Not Before: Aug 21 12:34:18 2016 GMT
            Not After : Sep 20 12:34:18 2016 GMT
        Subject: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, 
                 CN=www.donald.inc/emailAddress=john@donald.inc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:f6:d5:d3:79:87:8d:9d:83:49:6f:fb:08:67:08:
                    fb:0f:ab:b4:7f:51:55:7b:49:fa:e3:47:8e:6e:22:
                    d7:ba:ad:dc:10:56:e9:b3:42:f7:25:20:9d:a5:e3:
                    5f:5e:7c:95:cb:5a:22:f3:8f:3d:e1:b2:0a:fa:15:
                    c5:16:64:17:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
            X509v3 Authority Key Identifier:
                keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         ba:24:9c:7f:a0:d8:c3:7d:ef:c3:b2:b1:53:f8:e0:12:77:4b:
         d0:b3:ae:a4:f9:dc:1b:8f:30:51:6f:6a:81:6b:a1:a6:6a:0f:
         d1:18:93:14:61:46:48:55:a7:03:33:96:b6:dd:8a:b3:2f:ef:
         f6:c3:8d:19:1b:30:ee:16:16:ee

Commands used in this test:

  • "req -newkey rsa:512 -keyout rsa_test.key -out rsa_test.csr" - Generates a pair of RSA 512-bit public key with private key, and a CSR with "www.donald.inc" as the CN in the "subject".
  • "req -x509 -in rsa_test.csr -key rsa_test.key -out rsa_test.crt" - Signs the CSR with the same RSA private key and copies the entity name of the "subject" as the "issuer". The result is a self-signed certificate.
  • "x509 -in rsa_test.crt -text -noout" - Prints out content of the self-signed certificate.

 

OpenSSL "req -x509 -days" - Longer Self-Signed Certificate

OpenSSL Self-Signed Certificate Components

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-08, 803👍, 0💬