LibraryLink ToToggle FramesPrintFeedback

The req Utility

The req utility is used to generate a self-signed certificate or a certificate signing request (CSR). A CSR contains details of a certificate to be issued by a CA. When creating a CSR, the req command prompts you for the necessary information from which a certificate request file and an encrypted private key file are produced. The certificate request is then submitted to a CA for signing.

If the -nodes (no DES) parameter is not supplied to req, you are prompted for a pass phrase which will be used to protect the private key.

[Note]Note

It is important to specify a validity period (using the -days parameter). If the certificate expires, applications that are using that certificate will not be authenticated successfully.

The options supported by the openssl req utility are as follows:

-inform arg

input format - one of DER TXT PEM

-outform

arg output format - one of DER TXT PEM

-in arg

inout file

-out arg

output file

-text

text form of request

-noout

do not output REQ

-verify

verify signature on REQ

-modulus

RSA modulus

-nodes

do not encrypt the output key

-key file

use the private key contained in file

-keyform arg

key file format

-keyout arg

file to send the key to

-newkey rsa:bits

generate a new RSA key of ‘bits’ in size

-newkey dsa:file

generate a new DSA key, parameters taken from CA in ‘file’

-[digest]

Digest to sign with (md5, sha1, md2, mdc2)

-config file

request template file

-new

new request

-x509

output an x509 structure instead of a certificate req. (Used for creating self signed certificates)

-days

number of days an x509 generated by -x509 is valid for

-asn1-kludge

Output the ‘request’ in a format that is wrong but some CA’s have been reported as requiring [It is now always turned on but can be turned off with -no-asn1-kludge]

To create a self-signed certificate with an expiry date a year from now, the req utility can be used as follows to create the certificate CA_cert.pem and the corresponding encrypted private key file CA_pk.pem:

openssl req -config ssl_conf_path_name -days 365 
            -out CA_cert.pem -new -x509 -keyout CA_pk.pem

This following command creates the certificate request MyReq.pem and the corresponding encrypted private key file MyEncryptedKey.pem:

openssl req -config ssl_conf_path_name -days 365
            -out MyReq.pem -new -keyout MyEncryptedKey.pem