OpenSSL "ca -selfsign" - Self Sign CSR

Q

How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command?

✍: FYIcenter.com

A

You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key.

But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR as shown below:

C:\Users\fyicenter>\local\OpenSSL-Win32\bin\openssl.exe

OpenSSL> x509 -x509toreq -in my_ca.crt -signkey my_ca.key -out my_ca.csr
Getting request Private Key
Enter pass phrase for my_ca.key:fyicenter
Generating certificate request

OpenSSL> ca -selfsign -in my_ca.csr -keyfile my_ca.key -out my_ca_2.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4100 (0x1004)
        Validity
            Not Before: Sep  3 00:33:07 2016 GMT
            Not After : Sep  3 00:33:07 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = TX
            organizationName          = FYIcenter.com
            organizationalUnitName    = Security
            commonName                = FYIcenter Root CA
            emailAddress              = root-ca@fyicenter.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7E:2F:80:3A:74:C8:4C:04:15:66:C6:B0:D3:47:D5:DE:D4:71:4A:FF
            X509v3 Authority Key Identifier:
                keyid:7E:2F:80:3A:74:C8:4C:04:15:66:C6:B0:D3:47:D5:DE:D4:71:4A:FF

Certificate is to be certified until Sep  3 00:33:07 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

OpenSSL> exit

C:\Users\fyicenter>type demoCA\index.txt
...
V       170903003307Z           1004    unknown /C=US/ST=TX/O=FYIcenter.com
   /OU=Security/CN=FYIcenter Root CA/emailAddress=root-ca@fyicenter.com

Notes about the above test:

"x509 -x509toreq -signkey my_ca.key" - OpenSSL command to convert your own certificate back to a CSR. It requires you to provide your private key to sign the CSR.
"ca -selfsign -in my_ca.csr" - OpenSSL command to self-sign a CSR. The input CSR will be used as the issuer certificate.
"type demoCA\index.txt" - Windows command to list certificates in the certificate database.

⇒ OpenSSL "ca -config" - Using Configuration File

⇐ OpenSSL "crl -text" - View CRL in Test Format

⇑ OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-09, 2321👍, 0💬

💬 2022-04-11 yaqeen: openssl ca -config myCA_openssl.cnf -policy policy_anything \ -md sha256 -days 3650 \ -in server.csr -out server.crt -batch \ -c...

OpenSSL "ca" Error "lookup failed for ca::database"
Why I am getting the "variable lookup failed for ca::database" error when running OpenSSL "ca" command? You are getting the "variable lookup failed for ca::database" error, because OpenSSL "ca" command can not find the required "database" option in the configuration file. For example, if you have th... 2016-09-08, 12913👍, 0💬

OpenSSL "ca" Error "... directory for new certificate ..."
Why I am getting the "there needs to be defined a directory for new certificate to be placed in" error when running OpenSSL "ca" command? You are getting the "there needs to be defined a directory for new certificate to be placed in" error, because OpenSSL "ca" command can not find the required "new... 2016-09-09, 8922👍, 0💬

OpenSSL "ca -gencrl" - Generate CRL
How to generate a CRL using the OpenSSL "ca" command? I need to publish the CRL to inform users about certificates I have revoked. If you want to generate a CRL (Certificate Revocation List), you can use the OpenSSL "ca -gencrl" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 6964👍, 0💬

OpenSSL "ca" - "error while loading CRL number"
Why I am getting the "error while loading CRL number" error when running OpenSSL "ca -gencrl" command? If you are running the OpenSSL "ca -gencrl" command installed with the slproweb binary package for Windows, you may get the "error while loading CRL number" error as shown below: C:\Users\fyicenter... 2016-09-10, 5930👍, 0💬

OpenSSL "crl -text" - View CRL in Test Format
How to view a CRL in text format using the OpenSSL "crl" command? I want to see what certificates are listed in the CRL. If you want to view the content of a CRL (Certificate Revocation List), you can use the OpenSSL "crl -text" command as shown below: C:\Users\fyicenter>\loc al\OpenSSL-Win32\... 2016-09-10, 4855👍, 0💬

OpenSSL "ca -revoke" - Revoke a Certificate
How to revoke a certificate using the OpenSSL "ca" command? The certificate was signed by me with my CA certificate, but now it is no longer needed. If you want revoke a certificate that was signed by you previously, you can use the OpenSSL "ca -revoke" command to revoke it. Actually, the certificat... 2016-09-10, 4237👍, 0💬

OpenSSL "ca -selfsign" - Self Sign CSR
How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command? You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key. But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR... 2016-09-09, 2322👍, 0💬

OpenSSL [ca] Section in Configuration File
How to provide OpenSSL "ca" command options in the configuration file? I see examples of using the [ca] section. Yes, you can use the [ca] section to help providing OpenSSL "ca" command options in the configuration file. But there are 4 ways to provide "ca" command options: 1. Using unnamed section ... 2016-09-09, 1994👍, 0💬

OpenSSL "ca" - Sign the CSR Again
How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c... 2016-09-10, 1868👍, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.