OpenSSL "ca" - Sign CSR with CA Certificate

Q

How to sign a CSR with my CA certificate and private key using OpenSSL "ca" command? I think my configuration file has all the settings for the "ca" command.

✍: FYIcenter.com

A

If you have you configuration file ready and all the required directories and files created, you can sign a CSR with your CA certificate and private key using the OpenSSL "ca" command as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> ca -in test.csr -keyfile my_ca.key -cert my_ca.crt -out test.crt
   -policy policy_anything

Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:fyicenter
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jul 31 23:50:36 2016 GMT
            Not After : Jul 31 23:50:36 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = NY
            localityName              = NY
            organizationName          = FYIcenter.com
            commonName                = www.fyicenter.com
            emailAddress              = joe@fyicenter.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                0A:2B:BE:16:1A:2D:74:E0:F4:A1:B4:9C:44:E1:B4:73:92:91:68:C2
            X509v3 Authority Key Identifier:
                keyid:7E:2F:80:3A:74:C8:4C:04:15:66:C6:B0:D3:47:D5:DE:D4:71:4A:FF

Certificate is to be certified until Jul 31 23:50:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Notes about this test:

  • The "-in test.csr" option tells "ca" command to read the CSR from the given file.
  • The "-keyfile my_ca.key" option tells "ca" command to read the private key from the given file.
  • The "-cert my_ca.crt " option tells "ca" command to read the CA certificate from the given file.
  • The "-out test.crt" option tells "ca" command to save the new certificate to the given file.
  • The "-policy policy_anything" option tells "ca" command to use the [policy_anything] section from the configuration file to avoid the default and more limited policy.

 

OpenSSL "ca" - Track CSR Signing History

OpenSSL "ca" Error "stateOrProvinceName field needed to be the same"

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-13, 2160👍, 0💬