PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
"openssl req -x509" - Generate Self-Signed Certificate
This section describes the 'openssl req -x509' command, which allows you to generate self-signed certificate from a CSR, an existing key pair, or an internally generated key pair.
The "openssl req -x509" command allows you to generate a self-signed certificate from a CSR (Certificate Signing Request), an existing private/public key pair, or an internally generated key pair. A self-signed certificate is used by a CA (Certificate Authority) to other certificates, or by yourself for testing purposes.
1. Generate a self-signed certificate from a CSR. The original key pair of the CSR is needed to sign the certificate.
herong$ ls -l csr.pem key.pem -rw-rw-r-- 1 herong herong 485 Nov 18 21:28 csr.pem -rw------- 1 herong herong 452 Nov 18 21:27 key.pem herong$ openssl req -in csr.pem -x509 -key key.pem -out cert.pem Enter pass phrase for key.pem: TopSecret herong$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 02:7e:74:f9:ed:3f:ea:4a:64:a4:de:57:26:6f:67:e1:2f:5b:07:77 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = ZZ, L = My City, CN = Herong Yang Validity Not Before: Nov 18 13:52:50 2024 GMT Not After : Dec 18 13:52:50 2024 GMT Subject: C = ZZ, L = My City, CN = Herong Yang Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:76:66:7b:d2:f6:c3:64:35:23:e2:63:d7:d1:9a: f8:e9:f5:7a:79:ac:82:0a:93:10:3d:f5:ce:b6:8b: ... c6:50:ea:f9:68:85:41 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Subject Key Identifier: A0:CC:AA:93:98:22:C7:01:62:F8:25:BD:65:23:B5:06:02:8F:62:E7 X509v3 Authority Key Identifier: keyid:A0:CC:AA:93:98:22:C7:01:62:F8:25:BD:65:23:B5:06:02:8F:62:E7 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:c2:45:d1:06:ab:16:19:81:dc:ba:4d:00:7f: ec:7f:5c:03:45:f8:cb:d3:fd:dd:a7:3e:50:4c:1a:a5:de:7c: ... 31:27:aa:a2:a0:19:3d:e6:91:a5:0f:28:b3:e0
2. Generate a self-signed certificate from a key pair.
herong$ ls -l key.pem -rw------- 1 herong herong 452 Nov 18 21:27 key.pem herong$ openssl req -x509 -key key.pem -out cert.pem Enter pass phrase for key.pem: TopSecret You are about to be asked to enter information that will be incorporated into your certificate request. ... herong$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 35:fa:9c:87:1a:c3:f4:84:67:53:2c:80:45:ec:9d:e3:f3:5b:19:38 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = ZZ, L = My City, CN = Herong Yang Validity Not Before: Nov 18 14:03:59 2024 GMT Not After : Dec 18 14:03:59 2024 GMT Subject: C = ZZ, L = My City, CN = Herong Yang ...
2. Generate a self-signed certificate from an internally generated key pair.
herong$ openssl req -x509 -newkey rsa -keyout key.pem -out cert.pem Generating a RSA private key ............................................................+++++ .....................+++++ writing new private key to 'key.pem' Enter PEM pass phrase: TopSecret Verifying - Enter PEM pass phrase: TopSecret ----- You are about to be asked to enter information that will be incorporated into your certificate request. ... herong$ openssl x509 -in cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 53:a9:85:15:bf:0f:e3:bd:a9:52:4b:46:e8:35:58:33:34:45:f7:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: C = ZZ, L = My City, CN = Herong Yang Validity Not Before: Nov 18 14:11:00 2024 GMT Not After : Dec 18 14:11:00 2024 GMT Subject: C = ZZ, L = My City, CN = Herong Yang Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: ...
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
►OpenSSL - Cryptography Toolkit
"openssl genpkey" - Generate Private Key
"openssl genpkey -algorithm RSA" - RSA Private Key
"openssl genpkey -algorithm EC" - EC Private Key
"openssl req" - CSR (Certificate Signing Request)
"openssl req -new" - Generate CSR from Key
"openssl req -newkey ..." - Generate Key and CSR
►"openssl req -x509" - Generate Self-Signed Certificate
"openssl x509" - X.509 Certificate Command
"openssl x509 -CA ..." - CA Signing Certificate
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File