Tips for simple generation of self-signed certificates - Re: openssl x509 -x509toreq -extensions v3_req will not output version 3 even though input cert.pem is X509v3

David von Oheimb it at
Wed Apr 26 15:21:49 UTC 2023

Hello Jelle,

you simply confused the versions. For X.509 the latest version is 3,
while PKCS#10 CSRs are stuck with v1.
For this plain old CSR format there is no later one. See

BTW, I wonder why you first produce a certificate, skipping the CSR
(cert request) step, and then produce a CSR.
You don't need a CSR when all you need is a self-signed (end-entity or
root CA) certificate.

Better stop using OpenSSL 1.1.x - its support will end in September, but
switch to 3.0 (with long-term support).
For producing such a simple certificate, you don't need to rely on any
OpenSSL config (*.cnf) file.
Better do not use RSA with just 1024 bits anymore, but 2048 bits.
And to be be precise with 10 years of validity, take leap years into
For the extensions, all you need is any subject alternative names.

For key usage, with RSA keys only digitalSignature and keyEncipherment
makes sense,
while for EC keys only digitalSignature and keyAgreement makes sense,
but this can simply be left out, meaning that any key usage is allowed
(which is safe for more situations).

So I suggest this:

openssl req -x509 -new -newkey rsa:2048 -nodes -keyout key.pem \
  -out cert.pem -days 3653 -subj '/CN=test.example.lan' \
  -addext 'subjectAltName = DNS:test.example.lan' \
  -addext 'keyUsage = digitalSignature, keyEncipherment'

If you already have a key or want to produce it separately, use can use

openssl genrsa -out key.pem 2048
openssl ecparam -genkey -name prime256v1 -out key.pem  # alternative for EC key, faster and smaller

openssl x509 -new -key key.pem -out cert.pem -days 3653 -subj '/CN=test.example.lan' \
  -extfile <(echo -n "subjectAltName = DNS:test.example.lan \n keyUsage = digitalSignature, keyEncipherment")

where as mentioned you can safely drop the keyUsage part.


On Wed, 2023-04-26 at 12:11 +0200, Jelle de Jong wrote:
> Hello everybody,
> I am trying to generate a CSR with X509v3 from a working X509v3 cert
> but 
> the output generates a version 1 CSR without X509v3.
> These are the steps to reproduce:
> openssl req -utf8 -x509 -nodes -new -keyout key.pem -out cert.pem -
> days 
> 3650 -subj '/CN=test.example.lan' -extensions v3_req -addext 
> 'subjectAltName = DNS:test.example.lan'
> openssl x509 -x509toreq -in cert.pem -signkey key.pem -out csr.pem 
> -extensions v3_req -ext 
> subjectAltName,keyUsage,basicConstraints,extendedKeyUsage,certificateP
> olicies
> openssl req -in csr.pem -noout -verify
> openssl req -in csr.pem -out csr.req
> # show X509v3 Subject Alternative Name:
> openssl x509 -in cert.pem -text -noout
> # does not show X509v3 Subject Alternative Name:
> openssl req -in csr.req -text -noout
> Tried with the bollow two versions
> $ openssl version
> OpenSSL 1.1.1n  15 Mar 2022
> # openssl version
> OpenSSL 1.1.1k  FIPS 25 Mar 2021
> Can someone, do I need a diffrent openssl x509 -x509toreq -extensions
> ...
> Thank you in advance,
> Kind regards,
> Jelle de Jong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list