OpenSSL "ca" - Sign CSR with CA Certificate

Q

How to sign a CSR with my CA certificate and private key using OpenSSL "ca" command? I think my configuration file has all the settings for the "ca" command.

✍: FYIcenter.com

A

If you have you configuration file ready and all the required directories and files created, you can sign a CSR with your CA certificate and private key using the OpenSSL "ca" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt
   -policy policy_anything

Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jul 31 23:50:36 2016 GMT
            Not After : Jul 31 23:50:36 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = NY
            localityName              = NY
            organizationName          = FYIcenter.com
            commonName                = www.fyicenter.com
            emailAddress              = joe@fyicenter.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                0A:2B:BE:16:1A:2D:74:E0:F4:A1:B4:9C:44:E1:B4:73:92:91:68:C2
            X509v3 Authority Key Identifier:
                keyid:7E:2F:80:3A:74:C8:4C:04:15:66:C6:B0:D3:47:D5:DE:D4:71:4A:FF

Certificate is to be certified until Jul 31 23:50:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Notes about this test:

The "-in test.csr" option tells "ca" command to read the CSR from the given file.
The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
The "-out test.crt" option tells "ca" command to save the new certificate to the given file.
The "-policy policy_anything" option tells "ca" command to use the [policy_anything] section from the configuration file to avoid the default and more limited policy.

⇒ OpenSSL "ca" - Track CSR Signing History

⇐ OpenSSL "ca" Error "stateOrProvinceName field needed to be the same"

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-13, ∼2887🔥, 0💬

💬 2022-07-26 FYIcenter.com: Thanks for the suggestion!

💬 2022-07-26 flash: in openssl.cfg file give double slash in folder path dir = C:\\OpenSSL-Win64\\bin\\demoCA

💬 2017-02-21 FYIcenter.com: Hi sanakhan, thanks for the suggestion.

(More comments ...)

OpenSSL "ca" - "error while loading serial number"
Why I am getting the "error while loading serial number" error when running OpenSSL "ca" command? If you are running the OpenSSL "ca" command installed with the slproweb binary package for Windows, you may get the "error while loading serial number" error as shown below: C:\Users\fyicenter>\l.. . 2016-09-13, ≈39🔥, 0💬

OpenSSL "ca" Error "unable to open ./demoCA/index.txt"
Why I am getting the "unable to open './demoCA/index.txt'" error when running OpenSSL "ca" command? If you are running the OpenSSL "ca" command installed with the slproweb binary package for Windows, you may get the "unable to open './demoCA/index.txt'" error as shown below: C:\Users\fyicenter&g... 2016-09-18, ≈21🔥, 0💬

OpenSSL "ca" Error "failed to update database TXT_DB error number 2"
Why I am getting the "failed to update database TXT_DB error number 2" error when running OpenSSL "ca" command? If you are using the OpenSSL "ca" command to sign a CSR that has the same DN (Distinguished Name) fields as an old CSR you have signed before, you will get the "failed to update database T... 2016-09-13, ≈15🔥, 0💬

OpenSSL "ca" - "error while loading CRL number"
Why I am getting the "error while loading CRL number" error when running OpenSSL "ca -gencrl" command? If you are running the OpenSSL "ca -gencrl" command installed with the slproweb binary package for Windows, you may get the "error while loading CRL number" error as shown below: C:\Users\fyicenter... 2016-09-10, ∼8895🔥, 0💬

OpenSSL "ca -revoke" - Revoke a Certificate
How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed. If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificat... 2016-09-10, ∼8113🔥, 0💬

OpenSSL "ca" Error "stateOrProvinceName field needed to be the same"
Why I am getting the "The stateOrProvinceName field needed to be the same in the CA certificate (...) and the request (...)" error when running OpenSSL "ca" command? If you are running the OpenSSL "ca" command installed with the slproweb binary package for Windows, you may get the "The stateOrProvin... 2016-09-13, ∼8070🔥, 0💬

OpenSSL "ca" - Create CA Certificate for Testing
How to generate a new root CA certificate to test the OpenSSL "ca" command? If you need some root CA (Certificate Authority) certificates for testing purpose, you can generate them using the OpenSSL "req" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\bin\openssl.e xeOpenSSL&... 2016-09-18, ∼3473🔥, 0💬

OpenSSL "ca" - Sign the CSR Again
How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c... 2016-09-10, ∼3096🔥, 0💬

OpenSSL "ca" - Sign CSR with CA Certificate
How to sign a CSR with my CA certificate and private key using OpenSSL "ca" command? I think my configuration file has all the settings for the "ca" command. If you have you configuration file ready and all the required directories and files created, you can sign a CSR with your CA certificate and p... 2016-09-13, ∼2888🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.