OpenSSL "req -x509 -extensions" - Specify Self-Signed Certificate V3 Extensions


How to specify x.509 v5 extensions options in the configuration file for generating self-signed certificate using the OpenSSL "req -x509" command?



You can use x.509 v3 extensions options when using OpenSSL "req -x509" command to generate a self-signed certificate. The provided x509 extensions will be included in the resulting self-signed certificate.

In order to user x.509 v3 extensions options for the OpenSSL "req -x509" command, first you need write them in a named section in the configuration file. For example:

basicConstraints       = critical, CA:true
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = cRLSign, keyCertSign
extendedKeyUsage       = codeSigning, timeStamping
subjectAltName         =,
issuerAltName          = issuer:copy

Then you can provided this named section [my_req_x509_ext] to the "req -x509" command in two ways:

1. Using "x509_extensions" option in the [req] section - You can set "x509_extensions=my_req_x509_ext" in the [req] section of the configuration file. For example:

input_password  = fyicenter
x509_extensions = my_req_x509_ext


2. Using "-extensions" option in the "req -x509" command - For example, "req -x509 -extensions my_req_x509_ext" command will take x.509 v3 extensions from the [my_req_x509_ext] section in the configuration file.

Note that you can use any of x.509 v3 extensions when generating self-signed certificates using the "req -x509" command. But some of them are useless in the case of self-signed certificates.


OpenSSL "req -x509 -extensions" - Test Self-Signed Certificate V3 Extensions

OpenSSL "req -new -reqexts" - Test CSR V3 Extensions

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-25, 2203👍, 0💬