OpenSSL "ca -selfsign" - Self Sign CSR


How to sign my own CSR to create a self-signed certificate using the OpenSSL "ca" command?



You can use the OpenSSL "req -new -x509" command to generate a self-signed certificate from your private key.

But you can also use the "ca -selfsign" command to generate a self-signed certificate from your CSR as shown below:


OpenSSL> x509 -x509toreq -in my_ca.crt -signkey my_ca.key -out my_ca.csr
Getting request Private Key
Enter pass phrase for my_ca.key:fyicenter
Generating certificate request

OpenSSL> ca -selfsign -in my_ca.csr -keyfile my_ca.key -out my_ca_2.crt
Using configuration from C:\local\OpenSSL-Win32\bin\openssl.cfg
Enter pass phrase for my_ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4100 (0x1004)
            Not Before: Sep  3 00:33:07 2016 GMT
            Not After : Sep  3 00:33:07 2017 GMT
            countryName               = US
            stateOrProvinceName       = TX
            organizationName          =
            organizationalUnitName    = Security
            commonName                = FYIcenter Root CA
            emailAddress              =
        X509v3 extensions:
            X509v3 Basic Constraints:
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

Certificate is to be certified until Sep  3 00:33:07 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

OpenSSL> exit

C:\Users\fyicenter>type demoCA\index.txt
V       170903003307Z           1004    unknown /C=US/ST=TX/
   /OU=Security/CN=FYIcenter Root CA/

Notes about the above test:

  • "x509 -x509toreq -signkey my_ca.key" - OpenSSL command to convert your own certificate back to a CSR. It requires you to provide your private key to sign the CSR.
  • "ca -selfsign -in my_ca.csr" - OpenSSL command to self-sign a CSR. The input CSR will be used as the issuer certificate.
  • "type demoCA\index.txt" - Windows command to list certificates in the certificate database.


OpenSSL "ca -config" - Using Configuration File

OpenSSL "crl -text" - View CRL in Test Format

OpenSSL "ca" Command

⇑⇑ OpenSSL Tutorials

2016-09-09, 1186👍, 0💬