Skip to content
Latchkey

openssl x509 -req: Sign a CSR Into a Cert

openssl x509 -req takes a CSR and a CA key and produces a signed certificate.

For a test PKI you often act as your own CA: make a CA cert once, then sign leaf CSRs with x509 -req. It is simpler than the full ca command.

What it does

openssl x509 -req reads a CSR, signs it with the CA certificate and key, and emits a new leaf certificate. A serial number is required, supplied by -CAserial or generated with -CAcreateserial.

Common usage

Terminal
openssl x509 -req -in req.csr \
  -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
  -out leaf.pem -days 365 \
  -extfile <(printf "subjectAltName=DNS:example.com")

Options

FlagWhat it does
-reqTreat the input as a CSR, not a certificate
-CA <file>CA certificate that signs the leaf
-CAkey <file>CA private key
-CAcreateserialCreate the serial file if it does not exist
-extfile <file>File with v3 extensions (e.g. SAN) to copy in
-days NValidity of the issued certificate

In CI

x509 -req does not copy SANs from the CSR automatically; pass them again via -extfile or the leaf will lack a SAN and clients will reject it. Process substitution (the <(printf ...) form) avoids creating a temp file.

Common errors in CI

"unable to load CA Private Key" means -CAkey is wrong or encrypted; supply -passin pass:... if it has a passphrase. "unable to load number from ca.srl" means the serial file is missing; add -CAcreateserial. If clients still fail, the leaf likely has no SAN because -extfile was omitted.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →