Collections:
Other Resources:
OpenSSL "req -x509" - Sign CSR with Different Key
Can I sign my own CSR with a different private key using the OpenSSL "req -x509" command?
✍: FYIcenter.com
Yes, you can sign you own CSR (Certificate Sign Request) with a different private key using the OpenSSL "req -x509" command as shown below.
But the result is not a true self-signed certificate. The entity name of "subject" will be the same as the "issuer". But the digital signature is not encrypted by the private key of the public key in the certificate.
For example, if you have a CSR, rsa_test.csr, created from an RSA key pair, rsa_test.key, you can run the OpenSSL commands to sign it with a DSA private key:
C:\Users\fyicenter>\local\openssl\openssl.exe OpenSSL> genpkey -genparam -algorithm dsa -out dsa_test.prm -pkeyopt dsa_paramgen_bits:256 ...........+++++++++++++++++++++++++++++++++++++++++++++++++++* ......+..+......+......+...+...+.+.+..+...................+.......+...+......... ..........+..........+...........................+....+...+...........+......... ..+.+.................................+......+..................+............... .......+.+++++++++++++++++++++++++++++++++++++++++++++++++++* OpenSSL> genpkey -paramfile dsa_test.prm -out dsa_test.key OpenSSL> req -x509 -in rsa_test.csr -key dsa_test.key -out rsa_dsa_test.crt OpenSSL> x509 -in rsa_dsa_test.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: f6:7d:11:23:20:b6:f1:77 Signature Algorithm: dsa_with_SHA256 Issuer: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Validity Not Before: Aug 21 13:02:46 2016 GMT Not After : Sep 20 13:02:46 2016 GMT Subject: C=us, ST=NY, L=New York, O=Donald Inc., OU=IT, CN=www.donald.inc/emailAddress=john@donald.inc Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:f6:d5:d3:79:87:8d:9d:83:49:6f:fb:08:67:08: fb:0f:ab:b4:7f:51:55:7b:49:fa:e3:47:8e:6e:22: d7:ba:ad:dc:10:56:e9:b3:42:f7:25:20:9d:a5:e3: 5f:5e:7c:95:cb:5a:22:f3:8f:3d:e1:b2:0a:fa:15: c5:16:64:17:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Authority Key Identifier: keyid:99:FB:5B:B6:BE:B4:E2:2B:4D:46:75:3F:0E:5E:52:36:F1:0E:A4:DB X509v3 Basic Constraints: CA:TRUE Signature Algorithm: dsa_with_SHA256 r: 1c:c1:8c:6a:0f:79:b6:68:33:ec:59:30:aa:e9:f1: 19:03:5a:c0:1f s: 00:91:d5:16:e3:8c:8f:71:57:0c:c8:e1:69:04:4a: d1:a5:62:b8:29:91
Commands used in this test:
As you can see from the "x509 -in rsa_test.crt -text -noout" command output, the final certificate is really a normal certificate, the public key of the subject is signed by the private key of the issuer. The signing key is not related to the key being certified at all. But the subject name is identical to the issuer name.
⇒ OpenSSL Not Validate Signature in Self-Signed Certificate
2016-11-05, 2245🔥, 0💬
Popular Posts:
Certificate summary - Owner: *.typepad.com, Domain Control Validated - RapidSSL(R), See www.rapidssl...
Certificate summary - Owner: Entrust Certification Authority - L1K, "(c) 2012 Entrust, Inc. - for au...
Certificate summary - Owner: www.webmd.com, Portal Operations, WebMD Health, L=New York, ST=New York...
What options are supported by the "keytool -importcert" command? Java Keytool can be used to save th...
Certificate Summary: Subject: Class 3 Public Primary Certification Authority - G2, (c) ... Issuer: C...