openssl-req

Generate a certificate signing request to be sent to a certificate authority

Generate a self-signed certificate and a corresponding key-pair, storing both in a file

openssl req [options]

Common usage examples:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
(Generates a new RSA 2048-bit key and a corresponding CSR, without passphrase)

openssl req -x509 -newkey rsa:2048 -nodes -keyout selfsigned.key -out selfsigned.crt -days 365
(Generates a self-signed certificate valid for 365 days, without passphrase)

openssl req -in server.csr -noout -text
(Displays the content of an existing CSR in human-readable text format)

-new
    Creates a new Certificate Signing Request (CSR).

-newkey alg:bits
    Generates a new private key of the specified algorithm (e.g., rsa:2048, ec:prime256v1) alongside the CSR.

-nodes
    Do not encrypt the private key. This is useful for automated server startup but reduces security if the key is compromised.

-keyout file
    Specifies the output file for the generated private key.

-out file
    Specifies the output file for the CSR or self-signed certificate.

-x509
    Outputs a self-signed certificate instead of a CSR. Requires the -days option.

-days num
    Sets the validity period in days for a self-signed certificate when used with -x509.

-in file
    Specifies an input CSR file for processing (e.g., viewing its content).

-text
    Prints the content of the CSR or certificate in human-readable text format.

-noout
    Prevents the output of the encoded CSR or certificate, useful when combined with -text.

-subj "/C=US/ST=State/..."
    Sets the subject Distinguished Name (DN) directly from the command line, bypassing interactive prompts.

-config file
    Specifies an alternative OpenSSL configuration file instead of the default (/etc/ssl/openssl.cnf).

-sha256, -sha384, -sha512
    Specifies the message digest algorithm to be used for signing the request (e.g., SHA256).

-extensions section
    Specifies the configuration file section containing X.509 extensions for the CSR or certificate (e.g., v3_req).

The openssl req command is a fundamental utility within the OpenSSL toolkit, primarily used for managing X.509 Certificate Signing Requests (CSRs). It enables users to create new CSRs from scratch, which are essential when requesting digital certificates from a Certificate Authority (CA). During the CSR generation process, openssl req can also generate a new private key (e.g., RSA, EC) that will correspond to the public key embedded in the CSR. This command supports various configuration options for specifying the subject Distinguished Name (DN), key algorithms, and certificate extensions. Beyond CSR creation, it can also process existing CSRs, allowing users to view their content in human-readable format. Furthermore, openssl req has the capability to generate self-signed X.509 certificates directly, which are useful for development, testing, or internal non-CA-validated purposes, where immediate trust is not required. It's a cornerstone for establishing secure communications in various network services by providing the means to initiate the certificate issuance lifecycle.

Security of Private Keys: Private keys generated by openssl req must be kept absolutely secure. If an encrypted private key is used (i.e., -nodes is not specified), you must remember the passphrase, and it should be strong.

Configuration Files: The behavior of openssl req is heavily influenced by the OpenSSL configuration file (typically /etc/ssl/openssl.cnf). This file defines default values for DN fields, allowed certificate extensions, and policy.

Self-Signed vs. CA-Signed: A self-signed certificate created with -x509 is generally not trusted by browsers or clients without manual intervention, as it lacks validation from a recognized Certificate Authority. They are suitable for internal or testing environments only.

The openssl.cnf file defines global OpenSSL settings and sections specific to openssl req, such as the [ req ] section for general request settings (e.g., default_bits, default_md) and [ v3_req ] for specifying X.509 extensions like Subject Alternative Names (SANs) or key usages. Customizing this file allows for streamlined, consistent CSR generation.

When creating a CSR, you will be prompted for Distinguished Name (DN) components like Country Name (C), State or Province Name (ST), Locality Name (L), Organization Name (O), Organizational Unit Name (OU), and Common Name (CN). The Common Name (CN) is particularly important as it usually represents the fully qualified domain name (FQDN) of the server for which the certificate is being issued, or the name of the entity being certified.

The openssl req command is an integral part of the OpenSSL project, a robust open-source implementation of the SSL/TLS protocols and cryptographic libraries. It has been a core utility since the early days of OpenSSL's development, evolving in tandem with X.509 certificate standards and PKI practices. Its widespread adoption across Linux and Unix-like systems has made it the de facto tool for generating Certificate Signing Requests for web servers (e.g., Apache, Nginx) and other secure services, playing a critical role in securing internet communications.

openssl(1), openssl x509(1), openssl rsa(1), openssl ec(1), openssl ca(1), openssl pkcs12(1)