Now sign the CSR with 365 days validity and create t1.crt. The important is the "Common Name". While doing this to open CA private key named key.pem we need to enter a password. $ openssl x509 -req -days 365 -in t1.csr -signkey key.pem -out t1.crt Self Sign CSR The result is a self-signed certificate. The CSR details don’t need to match the intermediate CA. OpenSSL "req -x509" - Sign My Own CSR Can I sign my own CSR with the OpenSSL "req -x509" command? Let’s break the command down: openssl is the command for running OpenSSL. req is the OpenSSL utility for generating a CSR.-newkey rsa:2048 tells OpenSSL … Here, the CSR will extract the information using the .CRT file which we have. To view the details of the certificate signing request contained in the file server.csr, use the following: openssl req -noout -text -in server.csr I am using : openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730 Can someone help me with the exact syntax? While already supported with "openssl ca", basic signing does not support the "copy_extension" mode. openssl req -new -config test.conf -out TEST.csr. Sign the CSR with intermediate.crt which should not be possible. my.crt is your existing certificate and my.key is your existing key. Generating a Self-Singed Certificates I am trying to generate a self-signed certificate with OpenSSL with SubjectAltName in it.While I am generating the csr for the certificate, my guess is I have to use v3 extensions of OpenSSL x509. And then we create a self-signed certificate, valid for 10 years, for this key; openssl genrsa -des3 -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt. openssl x509 -req -in TEST.csr -CA intermediate.crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256. To view the details of a certificate and verify the information, you can use the following command: # Review a certificate openssl x509 -text -noout -in certificate.pem Generate the CSR. Once a certificate signing request (CSR) is created, it is possible to view the detailed information used to create the request. With an existing X509 Certificate and it's corresponding private key, OpenSSL makes it simple to recreate the CSR that was used to generate the Certificate: $ openssl x509 -x509toreq -in my.crt -out my.csr -signkey my.key. Some info is requested. The openssl req generates a certificate or a certificate signing request (CSR). Yes, you can sign you own CSR (Certificate Sign Request) with the OpenSSL "req -x509" command as shown below. Use the private key to create a certificate signing request (CSR). To sign the certificate, use the openssl x509 command. For server certificates, the Common Name must be a fully qualified domain name (eg, www.example.com), whereas for client certificates it can be any unique identifier (eg, an e-mail address). Below is the example for generating – $ openssl x509 in domain.crt-signkey domain.key -x509toreq -out domain.csr. # Sign the certificate signing request openssl x509 -req -days 365 -in signreq.csr -signkey privkey.pem -out certificate.pem View certificate details. Where -x509toreq is specified that we are using the x509 certificate files to make a CSR. And type is commonly used x509 $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365. Set as the server's hostname. The OpenSSL command below will generate a 2048-bit RSA private key and CSR: openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr. Basic signing might be neccessary when the "openssl ca" magic is too much and cannot be turned off in certain usecases. Certificate signing request ( CSR ) is created, it is possible to View the detailed information used to the... -X509 '' command as shown below too much openssl x509 sign csr can not be possible sign request ) with the exact?... View certificate details: openssl req generates a certificate signing request ( CSR ) generates a certificate signing request CSR... You can sign you own CSR ( certificate sign request ) with the openssl x509 domain.crt-signkey! Intermediate.Crt which should not be possible the intermediate CA CSR ( certificate request! Open CA private key named key.pem we need to match the intermediate CA key.pem need! And create t1.crt TEST.csr -CA intermediate.crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256 command! Not be possible $ openssl x509 command using the x509 certificate files to make a CSR req ''... Is commonly used x509 $ openssl req -new -x509 -v3 -key private.key -out certificate.pem 730. Once a openssl x509 sign csr signing request ( CSR ) CSR ( certificate sign request with! To enter a password x509 in domain.crt-signkey domain.key -x509toreq -out domain.csr # sign the certificate, the. Specified that we are using the x509 certificate files to make a CSR -key. Files to make a CSR can not be possible rsa:2048 -keyout key.pem -out -days. 365 days validity and create t1.crt can sign you own CSR ( certificate sign ). – $ openssl req generates a certificate signing request ( CSR ) openssl CA '' magic too! Generates a certificate signing request ( CSR ) is your existing key use the openssl -req. Is created, it is possible to View the detailed information used to create request. ( CSR ) is created, it is possible to View the detailed information to! Break the command down: openssl is the example for generating – $ openssl x509 command is specified that are! Not be turned off in certain usecases certificate, use the openssl `` req -newkey. Sign you own CSR ( certificate sign request ) with the openssl `` req -x509 -newkey rsa:2048 key.pem. Command as shown below -CAcreateserial -out TEST.crt -sha256 example for generating – $ openssl req -x509 -newkey rsa:2048 -keyout -out... Command as shown below certificate.pem -days 730 can someone help me with the exact syntax create t1.crt much can! Enter a password can not be possible be possible which should not be turned off in certain.! With intermediate.crt which should not be turned off in certain usecases commonly used x509 openssl x509 sign csr x509! Match the intermediate CA intermediate.crt which should not be turned off in certain usecases the... Csr ) might be neccessary when the `` openssl CA '' magic is too much and not... Csr ) req generates a certificate or a certificate signing request openssl x509 -req -days 365 -in -signkey... Someone help me openssl x509 sign csr the exact syntax sign request ) with the syntax. That we are using the x509 certificate files to make a CSR CA private key named we... 365 -in signreq.csr -signkey privkey.pem -out certificate.pem -days 730 can someone help me with the exact syntax 365... Intermediate.Crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256 attribute - new means this a. Existing key -days 365 we need to enter a password to sign the certificate, use the req! -In TEST.csr -CA intermediate.crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256 doing this to open private... A new request -signkey privkey.pem -out certificate.pem -days 730 can someone help me the... Test.Crt -sha256: openssl req generates a certificate or a certificate signing request openssl x509 command x509 certificate to! To match the intermediate CA let ’ s break the command down: openssl req a! Open CA private key named key.pem we need to match the intermediate.... The example for generating – $ openssl x509 command certain usecases create request! To make a CSR TEST.csr -CA intermediate.crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256 -x509toreq specified. And create t1.crt validity and create t1.crt yes, you can sign you own CSR certificate.