openssl-req
creates and processes certificate signing requests
TLDR
Generate CSR with new key
$ openssl req -new -newkey rsa:[4096] -keyout [private.key] -out [request.csr]
Generate CSR from existing key$ openssl req -new -key [private.key] -out [request.csr]
Generate self-signed certificate$ openssl req -x509 -newkey rsa:[4096] -keyout [key.pem] -out [cert.pem] -days [365] -noenc
View CSR contents$ openssl req -in [request.csr] -text -noout
Verify CSR signature$ openssl req -in [request.csr] -verify -noout
Generate CSR with subject on command line$ openssl req -new -key [private.key] -out [request.csr] -subj "/C=[US]/ST=[State]/L=[City]/O=[Org]/CN=[example.com]"
Generate CSR with config file$ openssl req -new -config [openssl.cnf] -keyout [key.pem] -out [request.csr]
Generate self-signed cert with SAN extension$ openssl req -x509 -newkey rsa:[4096] -keyout [key.pem] -out [cert.pem] -days [365] -noenc -addext "subjectAltName=DNS:[example.com],DNS:[www.example.com]"
SYNOPSIS
openssl req [options]
DESCRIPTION
openssl req creates and processes certificate signing requests (CSRs). It can also generate self-signed certificates for testing.CSRs are submitted to Certificate Authorities to obtain signed certificates.
PARAMETERS
-new
Generate new CSR.-x509
Output certificate instead of CSR.-newkey type:bits
Generate new key.-key file
Use existing key.-keyout file
Output key file.-out file
Output file.-days n
Validity period (only with -x509).-noenc
Don't encrypt the output key. Replaces deprecated -nodes.-nodes
Don't encrypt key. Deprecated in OpenSSL 3.0; use -noenc instead.-subj subj
Set subject DN (e.g., /C=US/O=Org/CN=host).-addext ext
Add a certificate extension (e.g., subjectAltName=DNS:example.com).-config file
Use alternative configuration file.-text
Print the CSR or certificate in human-readable form.-noout
Suppress output of the encoded request.-verify
Verify the signature on the CSR.-in file
Input CSR file.-inform DER|PEM
Input format. Default is PEM.-outform DER|PEM
Output format. Default is PEM.**-*digest***
Message digest to sign the request (e.g., -sha256, -sha384).
SUBJECT FORMAT
$ openssl req -new -key key.pem -out csr.pem \
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
-subj "/C=US/ST=State/L=City/O=Org/CN=example.com"
CAVEATS
Self-signed certificates are not trusted by browsers without manual import. The -nodes flag is deprecated since OpenSSL 3.0; use -noenc instead. CSR does not contain the private key.
HISTORY
Certificate request functionality has been part of OpenSSL since its SSL/TLS implementation origins.
SEE ALSO
openssl(1), openssl-x509(1), openssl-ca(1), openssl-genpkey(1), openssl-pkey(1), openssl-rsa(1)
