How to issue a certificate with OpenSSL

Posted on 2010-01-07
Last Modified: 2012-08-14
Short version of my question:

How do I use OpenSSL to create a non-self-signed certificate? This is assuming I already have a self-signed certificate and private key setup.

Long version of my question:

To create my self-signed certificate, I did the following:
openssl genrsa -out ca.key 1024
openssl req -new -x509 -days 1001 -key ca.key -out ca.cer

Now that I have ca.cer, the self-signed cert, how do I sign other certificates (ie, non-self-signed)?
Question by:pzkhan
    LVL 20

    Expert Comment

    Do you mean how do you create a real cert ?
    If that is the question then you need to generate a csr and send it to a signing company to sign it for real and they return the cert.

    If you mean how can you sign other certs yourself using the current cert as a CA
    then read this :

    The certs you sign will still be 'self signed' as you are not a real CA.  SO you would need to install the CA cert into the browsers you will be using for these sites unless you are happy seeing errors.

    Author Comment

    Perhaps my terminology is off. Let me try to be more clear.

    When I say self-signed certificate, I mean:
    Issuer: Farhan Certs Inc.
    Issued to: Farhan Certs Inc.

    Is there a way I can do:
    Issuer: Farhan Certs Inc.
    Issued to:

    Then, install the Self-Signed Certificate on my development machine's browser so that when IE or Firefox goes to and receives its certificate, it can verify that it has been signed by Farhan Certs Inc.

    Is that possible? I hope that makes sense.
    LVL 20

    Expert Comment

    Yes.  That makes sense.
    It is the bottom thing above.  You are becoming a self signing CA.
    (CA is a siging authority)

    So see

    or google 'How to self sign CA with openSSL'

    You can then install these certs on the web server and install the CA in the browsers and it will work.
    LVL 20

    Expert Comment

    Question was answered.  If you do not have a full answer then ask the question again maybe in a different way or tell me what you are missing and I will try to help (or another member of the team)

    Author Comment

    I appreciate the help, but it was not an answer. You directed me to a website that did not answer my question and said use Google. If I was successful with Google, I would not have come here.

    I created a self-signed, root-level certificate with OpenSSL. That process left me with:
    A) The self-signed, root-level cert
    B) The private key

    As I understand it, then 3rd parties create their own private/public key-pair and send you their public key to be signed by the CA's private key, thus creating a Certificate.

    My questions are:
    A) Using OpenSSL, how do I create that public-private keypair (pre-signed) from the requestor?
    B) How do I sign it with the private-key from the CA?
    LVL 20

    Accepted Solution

    The requestor does something like this :

    openssl genrsa -out 2048
    openssl req -new -key -out

    This gives you the .key file (the private key) and the .csr (certificat request file)

    They send you just the .csr


    Now you sign it with something like :

    openssl x509 -req -in -CA yourca.crt -CAkey yourca.key -out -days 365 -CAcreateserial -CAserial yourca.seq

    where :

    x509 -req : tells it to sign a CSR

    -in : name of csr to work on

    -CA yourca.crt : gives the file for the CA public key certificate.

    -CAkey yourca.key : your private key file for the CA

    -days 365 : Number of days cert is valid for

    -out : create this cert file (you send this back to user)

    -CAcreateserial : create a serial number file to track certs

    -CAserial yourca.seq : and store the serial numbers in this file


    Author Closing Comment

    Thanks for the help! Sorry for being a bit rude.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now