To view the details of a certificate and verify the information, you can use the following command: # Review a certificate openssl x509 -text -noout -in certificate.pem Generate the CSR. The important is the "Common Name". The attribute - new means this is a new request. Set as the server's hostname. $ openssl x509 -req -days 365 -in t1.csr -signkey key.pem -out t1.crt Self Sign CSR Generating a Self-Singed Certificates I am trying to generate a self-signed certificate with OpenSSL with SubjectAltName in it.While I am generating the csr for the certificate, my guess is I have to use v3 extensions of OpenSSL x509. While doing this to open CA private key named key.pem we need to enter a password. And type is commonly used x509 $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365. req is the OpenSSL utility for generating a CSR.-newkey rsa:2048 tells OpenSSL … Some info is requested. And then we create a self-signed certificate, valid for 10 years, for this key; openssl genrsa -des3 -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt. To sign the certificate, use the openssl x509 command. Use the private key to create a certificate signing request (CSR). Below is the example for generating – $ openssl x509 in domain.crt-signkey domain.key -x509toreq -out domain.csr. Let’s break the command down: openssl is the command for running OpenSSL. # Sign the certificate signing request openssl x509 -req -days 365 -in signreq.csr -signkey privkey.pem -out certificate.pem View certificate details. Basic signing might be neccessary when the "openssl ca" magic is too much and cannot be turned off in certain usecases. Yes, you can sign you own CSR (Certificate Sign Request) with the OpenSSL "req -x509" command as shown below. The following example uses the private key from the previous step (privatekey.pem) and the signing request (csr.pem) to create a public certificate named public.crt that is valid for 365 days. Now sign the CSR with 365 days validity and create t1.crt. With an existing X509 Certificate and it's corresponding private key, OpenSSL makes it simple to recreate the CSR that was used to generate the Certificate: $ openssl x509 -x509toreq -in my.crt -out my.csr -signkey my.key. The openssl req generates a certificate or a certificate signing request (CSR). Once a certificate signing request (CSR) is created, it is possible to view the detailed information used to create the request. I am using : openssl req -new -x509 -v3 -key private.key -out certificate.pem -days 730 Can someone help me with the exact syntax? OpenSSL "req -x509" - Sign My Own CSR Can I sign my own CSR with the OpenSSL "req -x509" command? The OpenSSL command below will generate a 2048-bit RSA private key and CSR: openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr. For server certificates, the Common Name must be a fully qualified domain name (eg,, whereas for client certificates it can be any unique identifier (eg, an e-mail address). The CSR details don’t need to match the intermediate CA. openssl req -new -config test.conf -out TEST.csr. Where -x509toreq is specified that we are using the x509 certificate files to make a CSR. openssl x509 -req -in TEST.csr -CA intermediate.crt -CAkey privkey.key -CAcreateserial -out TEST.crt -sha256. Here, the CSR will extract the information using the .CRT file which we have. Sign the CSR with intermediate.crt which should not be possible. The result is a self-signed certificate. my.crt is your existing certificate and my.key is your existing key. To view the details of the certificate signing request contained in the file server.csr, use the following: openssl req -noout -text -in server.csr While already supported with "openssl ca", basic signing does not support the "copy_extension" mode.