OpenSSL "ca" - Sign CSR with CA Certificate


How to sign a CSR with my CA certificate and private key using OpenSSL "ca" command? I think my configuration file has all the settings for the "ca" command.



If you have you configuration file ready and all the required directories and files created, you can sign a CSR with your CA certificate and private key using the OpenSSL "ca" command as shown below:


OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt
   -policy policy_anything

Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
            Not Before: Jul 31 23:50:36 2016 GMT
            Not After : Jul 31 23:50:36 2017 GMT
            countryName               = US
            stateOrProvinceName       = NY
            localityName              = NY
            organizationName          =
            commonName                =
            emailAddress              =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Jul 31 23:50:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Notes about this test:

  • The "-in test.csr" option tells "ca" command to read the CSR from the given file.
  • The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
  • The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
  • The "-out test.crt" option tells "ca" command to save the new certificate to the given file.
  • The "-policy policy_anything" option tells "ca" command to use the [policy_anything] section from the configuration file to avoid the default and more limited policy.


OpenSSL "ca" - Track CSR Signing History

OpenSSL "ca" Error "stateOrProvinceName field needed to be the same"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-13, 2234🔥, 0💬