How to issue a certificate with OpenSSL

Short version of my question:

How do I use OpenSSL to create a non-self-signed certificate? This is assuming I already have a self-signed certificate and private key setup.

Long version of my question:

To create my self-signed certificate, I did the following:
openssl genrsa -out ca.key 1024
openssl req -new -x509 -days 1001 -key ca.key -out ca.cer

Now that I have ca.cer, the self-signed cert, how do I sign other certificates (ie, non-self-signed)?
Who is Participating?
edster9999Connect With a Mentor Commented:
The requestor does something like this :

openssl genrsa -out 2048
openssl req -new -key -out

This gives you the .key file (the private key) and the .csr (certificat request file)

They send you just the .csr


Now you sign it with something like :

openssl x509 -req -in -CA yourca.crt -CAkey yourca.key -out -days 365 -CAcreateserial -CAserial yourca.seq

where :

x509 -req : tells it to sign a CSR

-in : name of csr to work on

-CA yourca.crt : gives the file for the CA public key certificate.

-CAkey yourca.key : your private key file for the CA

-days 365 : Number of days cert is valid for

-out : create this cert file (you send this back to user)

-CAcreateserial : create a serial number file to track certs

-CAserial yourca.seq : and store the serial numbers in this file

Do you mean how do you create a real cert ?
If that is the question then you need to generate a csr and send it to a signing company to sign it for real and they return the cert.

If you mean how can you sign other certs yourself using the current cert as a CA
then read this :

The certs you sign will still be 'self signed' as you are not a real CA.  SO you would need to install the CA cert into the browsers you will be using for these sites unless you are happy seeing errors.
pzkhanAuthor Commented:
Perhaps my terminology is off. Let me try to be more clear.

When I say self-signed certificate, I mean:
Issuer: Farhan Certs Inc.
Issued to: Farhan Certs Inc.

Is there a way I can do:
Issuer: Farhan Certs Inc.
Issued to:

Then, install the Self-Signed Certificate on my development machine's browser so that when IE or Firefox goes to and receives its certificate, it can verify that it has been signed by Farhan Certs Inc.

Is that possible? I hope that makes sense.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Yes.  That makes sense.
It is the bottom thing above.  You are becoming a self signing CA.
(CA is a siging authority)

So see

or google 'How to self sign CA with openSSL'

You can then install these certs on the web server and install the CA in the browsers and it will work.
Question was answered.  If you do not have a full answer then ask the question again maybe in a different way or tell me what you are missing and I will try to help (or another member of the team)
pzkhanAuthor Commented:
I appreciate the help, but it was not an answer. You directed me to a website that did not answer my question and said use Google. If I was successful with Google, I would not have come here.

I created a self-signed, root-level certificate with OpenSSL. That process left me with:
A) The self-signed, root-level cert
B) The private key

As I understand it, then 3rd parties create their own private/public key-pair and send you their public key to be signed by the CA's private key, thus creating a Certificate.

My questions are:
A) Using OpenSSL, how do I create that public-private keypair (pre-signed) from the requestor?
B) How do I sign it with the private-key from the CA?
pzkhanAuthor Commented:
Thanks for the help! Sorry for being a bit rude.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.