Cloning a CSR or Cert. for a new CSR with a new key?

Douglas Morris dougbmorris at
Fri Jan 31 18:59:42 UTC 2020

Thanks everyone for the replies and the community support. I don't think I got across what I am trying to do. I have experimented with subcommands req and x509. The openssl x509 -in <cert> -x509toreq -signkey <alt-key-file> does *NOT* do what I want (I'm pretty sure).
openssl x509 -x509toreq may sign a certificate signing request (csr) with a different key, but (as far as I can tell via the -text output) it does not change the public key documented (does not change the RSA Public key modulus) in the output request to match the private signature file.  The -text output from the input and output csr's are identical. Neither do I see how a request (csr) could be provided to the subcommand x509 -x509toreq or to subcommand req to alter an existing csr to have a new domain authentication key (the documented public key). The req subcommand seems completely irrelevant to what I'd like to do. Is this an unusual use case?

I believe I will have to use a config file via the -config <file> option to support the creation of a new request with a new domain authentication key. Do I want to change my architecture to support that? No, cause it's working well from the given crs file, but I want domain key rollover on automatic renewal. If I must create a new csr from scratch to support domain key replacement, the csr is not a viable starting point, and neither is the certificate file from the CA. Is there a flaw in my logic?

Douglas Morris

    On Friday, January 31, 2020, 4:42:21 AM EST, Dirk-Willem van Gulik <dirkx at> wrote:  
On 31 Jan 2020, at 01:25, Douglas Morris <dougbmorris at> wrote:

Interesting. I think I misunderstood this explanation about the -signkey <file> option: "This option causes the input file to be self signed using the supplied private key."

Your input has me thinking that a certificate signing request is in fact self-signed like a self-signed certificate is self-signed. I think I mistakenly supposed any self-signing meant acting like a "mini CA". I shall give those two x509 options, '-x509toreq' and '-signkey', a try.

Correct - a CSR is generally signed by the party submitting it - thus proving that he or she has access to their own private key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list