openssl x509 -req: Sign a CSR Into a Cert
openssl x509 -req takes a CSR and a CA key and produces a signed certificate.
For a test PKI you often act as your own CA: make a CA cert once, then sign leaf CSRs with x509 -req. It is simpler than the full ca command.
What it does
openssl x509 -req reads a CSR, signs it with the CA certificate and key, and emits a new leaf certificate. A serial number is required, supplied by -CAserial or generated with -CAcreateserial.
Common usage
openssl x509 -req -in req.csr \
-CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out leaf.pem -days 365 \
-extfile <(printf "subjectAltName=DNS:example.com")Options
| Flag | What it does |
|---|---|
| -req | Treat the input as a CSR, not a certificate |
| -CA <file> | CA certificate that signs the leaf |
| -CAkey <file> | CA private key |
| -CAcreateserial | Create the serial file if it does not exist |
| -extfile <file> | File with v3 extensions (e.g. SAN) to copy in |
| -days N | Validity of the issued certificate |
In CI
x509 -req does not copy SANs from the CSR automatically; pass them again via -extfile or the leaf will lack a SAN and clients will reject it. Process substitution (the <(printf ...) form) avoids creating a temp file.
Common errors in CI
"unable to load CA Private Key" means -CAkey is wrong or encrypted; supply -passin pass:... if it has a passphrase. "unable to load number from ca.srl" means the serial file is missing; add -CAcreateserial. If clients still fail, the leaf likely has no SAN because -extfile was omitted.