Categories:
Android (13)
Apple Mac (27)
DH Keys (39)
DSA Keys (71)
EC Keys (2095)
Firefox (30)
General (10)
Google Chrome (25)
Intermediate CA (152)
Java VM (29)
JDK Keytool (28)
Microsoft CertUtil (29)
Microsoft Edge (9)
Mozilla CertUtil (21)
OpenSSL (236)
Other (7)
Portecle (38)
Publishers (6022)
Revoked Certificates (16)
Root CA (85)
RSA Keys (4917)
Tools (46)
Tutorial (1)
What Is (22)
Windows (127)
Collections:
Other Resources:
OpenSSL "req -x509" - Sign CSR with Different Key
Can I sign my own CSR with a different private key using the OpenSSL "req -x509" command?
✍: FYIcenter.com
Yes, you can sign you own CSR (Certificate Sign Request) with a different private key
using the OpenSSL "req -x509" command as shown below.
But the result is not a true self-signed certificate. The entity name of "subject" will be the same as the "issuer". But the digital signature is not encrypted by the private key of the public key in the certificate.
For example, if you have a CSR, rsa_test.csr, created from an RSA key pair, rsa_test.key, you can run the OpenSSL commands to sign it with a DSA private key:
C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> genpkey -genparam -algorithm dsa -out dsa_test.prm -pkeyopt dsa_paramgen_bits:256 ...........+++++++++++++++++++++++++++++++++++++++++++++++++++* ......+..+......+......+...+...+.+.+..+...................+.......+...+......... ..........+..........+...........................+....+...+...........+......... ..+.+.................................+......+..................+............... .......+.+++++++++++++++++++++++++++++++++++++++++++++++++++* OpenSSL> genpkey -paramfile dsa_test.prm -out dsa_test.key OpenSSL> req -x509 -in rsa_test.csr -key dsa_test.key -out rsa_dsa_test.crt OpenSSL> x509 -in rsa_dsa_test.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: f6:7d:11:23:20:b6:f1:77 Signature Algorithm: dsa_with_SHA256 Issuer: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Validity Not Before: Aug 21 13:02:46 2016 GMT Not After : Sep 20 13:02:46 2016 GMT Subject: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:f6:d5:d3:79:87:8d:9d:83:49:6f:fb:08:67:08: fb:0f:ab:b4:7f:51:55:7b:49:fa:e3:47:8e:6e:22: d7:ba:ad:dc:10:56:e9:b3:42:f7:25:20:9d:a5:e3: 5f:5e:7c:95:cb:5a:22:f3:8f:3d:e1:b2:0a:fa:15: c5:16:64:17:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Authority Key Identifier: keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Basic Constraints: CA:TRUE Signature Algorithm: dsa_with_SHA256 r: 1c:c1:8c:6a:0f:79:b6:68:33:ec:59:30:aa:e9:f1: 19:03:5a:c0:1f s: 00:91:d5:16:e3:8c:8f:71:57:0c:c8:e1:69:04:4a: d1:a5:62:b8:29:91
Commands used in this test:
As you can see from the "x509 -in rsa_test.crt -text -noout" command output, the final certificate is really a normal certificate, the public key of the subject is signed by the private key of the issuer. The signing key is not related to the key being certified at all. But the subject name is identical to the issuer name.
⇒ OpenSSL Not Validate Signature in Self-Signed Certificate
2016-11-05, 1826👍, 0💬
Popular Posts:
Certificate Summary: Subject: AME Infra CA 03 Issuer: ameroot Expiration: 2025-09-15 03:10:51 UTC Ke...
Certificate Summary: Subject: GeoTrust RSA CA 2018 Issuer: DigiCert Global Root CA Expiration: 2027-...
How to export a certificate from a certificate store using "certmgr.msc"? I want to keep it in a cer...
What commands are available in the Mozilla "certutil" tool? How to get a list of those commands? If ...
Certificate summary - Owner: *.jobrapido.com, Jobrapido s.r.l., L=Milan, ST=MI, IT Issuer: DigiCert ...