Cloning a CSR or Cert. for a new CSR with a new key?

Kyle Hamilton aerowolf at
Fri Jan 31 07:14:00 UTC 2020

A CSR is self-signed to provide what's called "proof of possession" -- that
is, proof that the requester possesses the private key to the claimed
public key.  It doesn't act as a CA in that case, because the CSR is not an
actual Certificate structure.

-Kyle H

On Thu, Jan 30, 2020, 18:26 Douglas Morris via openssl-users <
openssl-users at> wrote:

> Thanks, Dw.
> Interesting. I think I misunderstood this explanation about the -signkey
> <file> option: "This option causes the input file to be self signed using
> the supplied private key."
> Your input has me thinking that a certificate signing request is in fact
> self-signed like a self-signed certificate is self-signed. I think I
> mistakenly supposed any self-signing meant acting like a "mini CA". I shall
> give those two x509 options, '-x509toreq' and '-signkey', a try.
> Douglas Morris
> On Thursday, January 30, 2020, 3:51:45 PM EST, Dirk-Willem van Gulik <
> dirkx at> wrote:
> On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users <
> openssl-users at> wrote:
> I am trying to implement automated domain certificate renewal. A
> certificate signing request is sent to an ACME server and on success a
> certificate is returned. I'd like to be able to call OpenSSL to make a new
> key and then make a new certificate signing request just like the old one
> except for the replacement key pair file.
> I suppose the complete information beyond the new key data is available
> both in the old crs and the old certificate. I'm looking at the manpages of
> OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq'
> gave me a momentary rush of hope, but then I read about the '-signkey'
> option, which seems to be exclusively about self-signing.
> Is 'cloning' the csr or cert. information semantically logical? Is it
> possible with OpenSSL?
> If I can't reliably extract the relevant data from the old csr or old
> certification, I suppose I must do it as usual with a dedicated config file
> and the '-batch' option:
>      openssl req -key <key> -new -config <config.ini> -outform PEM -out
> <outfile> -batch
> openssl x509 -x509toreq should do the trick
> E.g.
> # generate test cert
> openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
> openssl x509 -in x.crt -noout -text
> # turn test cert in a request
> openssl x509 -x509toreq -signkey x.key < x.crt
> Dw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list