OpenSSL "req -x509" - Sign CSR with Different Key

Q

Can I sign my own CSR with a different private key using the OpenSSL "req -x509" command?

✍: FYIcenter.com

A

Yes, you can sign you own CSR (Certificate Sign Request) with a different private key using the OpenSSL "req -x509" command as shown below.

But the result is not a true self-signed certificate. The entity name of "subject" will be the same as the "issuer". But the digital signature is not encrypted by the private key of the public key in the certificate.

For example, if you have a CSR, rsa_test.csr, created from an RSA key pair, rsa_test.key, you can run the OpenSSL commands to sign it with a DSA private key:

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> genpkey -genparam -algorithm dsa -out dsa_test.prm 
   -pkeyopt dsa_paramgen_bits:256
...........+++++++++++++++++++++++++++++++++++++++++++++++++++*
......+..+......+......+...+...+.+.+..+...................+.......+...+.........
..........+..........+...........................+....+...+...........+.........
..+.+.................................+......+..................+...............
.......+.+++++++++++++++++++++++++++++++++++++++++++++++++++*

OpenSSL> genpkey -paramfile dsa_test.prm -out dsa_test.key

OpenSSL> req -x509 -in rsa_test.csr -key dsa_test.key -out rsa_dsa_test.crt

OpenSSL> x509 -in rsa_dsa_test.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f6:7d:11:23:20:b6:f1:77
    Signature Algorithm: dsa_with_SHA256
        Issuer: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, 
                CN=www.donald.inc/emailAddress=john@donald.inc
        Validity
            Not Before: Aug 21 13:02:46 2016 GMT
            Not After : Sep 20 13:02:46 2016 GMT
        Subject: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, 
                 CN=www.donald.inc/emailAddress=john@donald.inc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (512 bit)
                Modulus:
                    00:f6:d5:d3:79:87:8d:9d:83:49:6f:fb:08:67:08:
                    fb:0f:ab:b4:7f:51:55:7b:49:fa:e3:47:8e:6e:22:
                    d7:ba:ad:dc:10:56:e9:b3:42:f7:25:20:9d:a5:e3:
                    5f:5e:7c:95:cb:5a:22:f3:8f:3d:e1:b2:0a:fa:15:
                    c5:16:64:17:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB
            X509v3 Authority Key Identifier:
                keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: dsa_with_SHA256
         r:
             1c:c1:8c:6a:0f:79:b6:68:33:ec:59:30:aa:e9:f1:
             19:03:5a:c0:1f
         s:
             00:91:d5:16:e3:8c:8f:71:57:0c:c8:e1:69:04:4a:
             d1:a5:62:b8:29:91

Commands used in this test:

  • "genpkey -genparam -algorithm dsa -out dsa_test.prm -pkeyopt dsa_paramgen_bits:256" - Generates a DSA 356-bit key parameter file.
  • "genpkey -paramfile dsa_test.prm -out dsa_test.key" - Generates a pair of DSA private key and public key using the DSA parameter file.
  • "req -x509 -in rsa_test.csr -key dsa_test.key -out rsa_test.crt" - Signs the CSR with the DSA private key and copies the entity name of the "subject" as the "issuer". The result is a regular signed certificate, not a true self-signed certificate.
  • "x509 -in rsa_test.crt -text -noout" - Prints out content of the signed certificate.

As you can see from the "x509 -in rsa_test.crt -text -noout" command output, the final certificate is really a normal certificate, the public key of the subject is signed by the private key of the issuer. The signing key is not related to the key being certified at all. But the subject name is identical to the issuer name.

 

OpenSSL Not Validate Signature in Self-Signed Certificate

OpenSSL "req -x509 -md5" - MD5 Digest for Signing

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-05, 775👍, 0💬