Generating Certificate Request with OpenSSL - dogtagpki/pki GitHub Wiki

Generating Certificate Request with New Key

To generate a certificate request with a new key:

$ openssl req \
    -new \
    -newkey rsa:2048 \
    -nodes \
    -keyout testuser.key \
    -subj "/UID=testuser/DC=example/DC=com" \
    -out testuser.csr

Generating Certificate Request with Existing Key

To generate a certificate request with an existing key:

$ openssl req \
    -new \
    -key testuser.key \
    -nodes \
    -subj "/UID=testuser/DC=example/DC=com" \
    -out testuser.csr

Generating Certificate Request with SAN Extension

To generate a certificate request with an empty subject and a SAN extension, specify the extension in a configuration file (e.g. sslserver.conf):

[req]
req_extensions     = req_ext

[req_ext]
subjectAltName     = @alt_names

[alt_names]
DNS.1              = www.example.com
DNS.2              = pki.example.com

then generate the certificate request as follows:

$ openssl req \
    -new \
    -newkey rsa:2048 \
    -nodes \
    -keyout sslserver.key \
    -subj "/" \
    -out sslserver.csr \
    -config sslserver.conf

Verifying Certificate Request

To verify the certificate request:

$ openssl req -text -noout -in <filename>
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️