"openssl req -x509" - Generate Self-Signed Certificate

This section describes the 'openssl req -x509' command, which allows you to generate self-signed certificate from a CSR, an existing key pair, or an internally generated key pair.

The "openssl req -x509" command allows you to generate a self-signed certificate from a CSR (Certificate Signing Request), an existing private/public key pair, or an internally generated key pair. A self-signed certificate is used by a CA (Certificate Authority) to other certificates, or by yourself for testing purposes.

1. Generate a self-signed certificate from a CSR. The original key pair of the CSR is needed to sign the certificate.

herong$ ls -l csr.pem key.pem 
  -rw-rw-r-- 1 herong herong 485 Nov 18 21:28 csr.pem
  -rw------- 1 herong herong 452 Nov 18 21:27 key.pem

herong$ openssl req -in csr.pem -x509 -key key.pem -out cert.pem 
  Enter pass phrase for key.pem: TopSecret

herong$ openssl x509 -in cert.pem -text -noout

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      02:7e:74:f9:ed:3f:ea:4a:64:a4:de:57:26:6f:67:e1:2f:5b:07:77
    Signature Algorithm: ecdsa-with-SHA256
    Issuer: C = ZZ, L = My City, CN = Herong Yang
    Validity
      Not Before: Nov 18 13:52:50 2024 GMT
      Not After : Dec 18 13:52:50 2024 GMT
    Subject: C = ZZ, L = My City, CN = Herong Yang
    Subject Public Key Info:
      Public Key Algorithm: id-ecPublicKey
        Public-Key: (384 bit)
        pub:
          04:76:66:7b:d2:f6:c3:64:35:23:e2:63:d7:d1:9a:
          f8:e9:f5:7a:79:ac:82:0a:93:10:3d:f5:ce:b6:8b:
          ...
          c6:50:ea:f9:68:85:41
        ASN1 OID: secp384r1
        NIST CURVE: P-384
    X509v3 extensions:
      X509v3 Subject Key Identifier: 
        A0:CC:AA:93:98:22:C7:01:62:F8:25:BD:65:23:B5:06:02:8F:62:E7
      X509v3 Authority Key Identifier: 
        keyid:A0:CC:AA:93:98:22:C7:01:62:F8:25:BD:65:23:B5:06:02:8F:62:E7
      X509v3 Basic Constraints: critical
        CA:TRUE
  Signature Algorithm: ecdsa-with-SHA256
    30:66:02:31:00:c2:45:d1:06:ab:16:19:81:dc:ba:4d:00:7f:
    ec:7f:5c:03:45:f8:cb:d3:fd:dd:a7:3e:50:4c:1a:a5:de:7c:
    ...
    31:27:aa:a2:a0:19:3d:e6:91:a5:0f:28:b3:e0

2. Generate a self-signed certificate from a key pair.

herong$ ls -l key.pem 
  -rw------- 1 herong herong 452 Nov 18 21:27 key.pem

herong$ openssl req -x509 -key key.pem -out cert.pem 
  Enter pass phrase for key.pem: TopSecret

  You are about to be asked to enter information that will be 
  incorporated into your certificate request.
  ...

herong$ openssl x509 -in cert.pem -text -noout

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      35:fa:9c:87:1a:c3:f4:84:67:53:2c:80:45:ec:9d:e3:f3:5b:19:38
    Signature Algorithm: ecdsa-with-SHA256
    Issuer: C = ZZ, L = My City, CN = Herong Yang
    Validity
        Not Before: Nov 18 14:03:59 2024 GMT
        Not After : Dec 18 14:03:59 2024 GMT
    Subject: C = ZZ, L = My City, CN = Herong Yang
    ...

2. Generate a self-signed certificate from an internally generated key pair.

herong$ openssl req -x509 -newkey rsa -keyout key.pem -out cert.pem 
  Generating a RSA private key
  ............................................................+++++
  .....................+++++
  writing new private key to 'key.pem'
  Enter PEM pass phrase: TopSecret
  Verifying - Enter PEM pass phrase: TopSecret

  -----
  You are about to be asked to enter information that will be 
  incorporated into your certificate request.
  ...

herong$ openssl x509 -in cert.pem -text -noout

Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      53:a9:85:15:bf:0f:e3:bd:a9:52:4b:46:e8:35:58:33:34:45:f7:d7
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = ZZ, L = My City, CN = Herong Yang
    Validity
      Not Before: Nov 18 14:11:00 2024 GMT
      Not After : Dec 18 14:11:00 2024 GMT
    Subject: C = ZZ, L = My City, CN = Herong Yang
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
        Modulus: 
        ...

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

OpenSSL - Cryptography Toolkit

 What Is OpenSSL

 What Is "openssl" Command

 "openssl genpkey" - Generate Private Key

 "openssl genpkey -algorithm RSA" - RSA Private Key

 "openssl genpkey -algorithm EC" - EC Private Key

 "openssl req" - CSR (Certificate Signing Request)

 "openssl req -new" - Generate CSR from Key

 "openssl req -newkey ..." - Generate Key and CSR

"openssl req -x509" - Generate Self-Signed Certificate

 "openssl x509" - X.509 Certificate Command

 "openssl x509 -CA ..." - CA Signing Certificate

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB