[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

How to issue a certificate with OpenSSL

Short version of my question:

How do I use OpenSSL to create a non-self-signed certificate? This is assuming I already have a self-signed certificate and private key setup.

Long version of my question:

To create my self-signed certificate, I did the following:
openssl genrsa -out ca.key 1024
openssl req -new -x509 -days 1001 -key ca.key -out ca.cer

Now that I have ca.cer, the self-signed cert, how do I sign other certificates (ie, non-self-signed)?
  • 4
  • 3
1 Solution
Do you mean how do you create a real cert ?
If that is the question then you need to generate a csr and send it to a signing company to sign it for real and they return the cert.

If you mean how can you sign other certs yourself using the current cert as a CA
then read this :

The certs you sign will still be 'self signed' as you are not a real CA.  SO you would need to install the CA cert into the browsers you will be using for these sites unless you are happy seeing errors.
pzkhanAuthor Commented:
Perhaps my terminology is off. Let me try to be more clear.

When I say self-signed certificate, I mean:
Issuer: Farhan Certs Inc.
Issued to: Farhan Certs Inc.

Is there a way I can do:
Issuer: Farhan Certs Inc.
Issued to: testsite.mydomain.com

Then, install the Self-Signed Certificate on my development machine's browser so that when IE or Firefox goes to testsite.mydomain.com and receives its certificate, it can verify that it has been signed by Farhan Certs Inc.

Is that possible? I hope that makes sense.
Yes.  That makes sense.
It is the bottom thing above.  You are becoming a self signing CA.
(CA is a siging authority)

So see

or google 'How to self sign CA with openSSL'

You can then install these certs on the web server and install the CA in the browsers and it will work.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question was answered.  If you do not have a full answer then ask the question again maybe in a different way or tell me what you are missing and I will try to help (or another member of the team)
pzkhanAuthor Commented:
I appreciate the help, but it was not an answer. You directed me to a website that did not answer my question and said use Google. If I was successful with Google, I would not have come here.

I created a self-signed, root-level certificate with OpenSSL. That process left me with:
A) The self-signed, root-level cert
B) The private key

As I understand it, then 3rd parties create their own private/public key-pair and send you their public key to be signed by the CA's private key, thus creating a Certificate.

My questions are:
A) Using OpenSSL, how do I create that public-private keypair (pre-signed) from the requestor?
B) How do I sign it with the private-key from the CA?
The requestor does something like this :

openssl genrsa -out www.mysite.com.key 2048
openssl req -new -key www.mysite.com.key -out www.mysite.com.csr

This gives you the .key file (the private key) and the .csr (certificat request file)

They send you just the .csr


Now you sign it with something like :

openssl x509 -req -in www.mysite.com.csr -CA yourca.crt -CAkey yourca.key -out www.mysite.com.crt -days 365 -CAcreateserial -CAserial yourca.seq

where :

x509 -req : tells it to sign a CSR

-in www.mysite.co.csr : name of csr to work on

-CA yourca.crt : gives the file for the CA public key certificate.

-CAkey yourca.key : your private key file for the CA

-days 365 : Number of days cert is valid for

-out www.mysites.com.crt : create this cert file (you send this back to user)

-CAcreateserial : create a serial number file to track certs

-CAserial yourca.seq : and store the serial numbers in this file

pzkhanAuthor Commented:
Thanks for the help! Sorry for being a bit rude.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now