openssl-req
creates and processes certificate signing requests
TLDR
Generate CSR with new key
$ openssl req -new -newkey rsa:[4096] -keyout [private.key] -out [request.csr]
Generate CSR from existing key$ openssl req -new -key [private.key] -out [request.csr]
Generate self-signed certificate$ openssl req -x509 -newkey rsa:[4096] -keyout [key.pem] -out [cert.pem] -days [365] -nodes
View CSR contents$ openssl req -in [request.csr] -text -noout
Generate CSR with config file$ openssl req -new -config [openssl.cnf] -keyout [key.pem] -out [request.csr]
SYNOPSIS
openssl req [options]
DESCRIPTION
openssl req creates and processes certificate signing requests (CSRs). It can also generate self-signed certificates for testing.
CSRs are submitted to Certificate Authorities to obtain signed certificates.
PARAMETERS
-new
Generate new CSR.-x509
Output certificate instead of CSR.-newkey type:bits
Generate new key.-key file
Use existing key.-keyout file
Output key file.-out file
Output file.-days n
Validity period.-nodes
Don't encrypt key.-subj subj
Subject DN.
SUBJECT FORMAT
$ openssl req -new -key key.pem -out csr.pem \
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
CAVEATS
Self-signed certs not trusted by browsers. Use -nodes carefully. CSR doesn't contain private key.
HISTORY
Certificate request functionality has been part of OpenSSL since its SSL/TLS implementation origins.
SEE ALSO
openssl-x509(1), openssl-ca(1), openssl-genpkey(1)