openssl x509 -req -in server.csr -signkey privateKey.pem -out server.cert.pem -days 3650 -sha256 -extfile server_cert_ext.cnf
-
Explanation of the parameters provided in the command line:
- openssl x509 : the command for executing OpenSSL to generate a new certificate.
- -req -in server.csr : the certificate request file "server.csr" is taken as input for the conversion into a self-signed certificate.
- -signkey privateKey.pem : the key file "privateKey.pem", which is created in the 1st step, is used to sign the self-signed certificate.
- -out server.cert.pem : the output file "server.cert.pem" is generated to store certificate content.
- -days 3650 : the number of days (3650) the certificate is valid for. 3650 days corresponds to a validity of 10 years. Replace <# of days> with the number of days in year increments for which you want the certificate to be valid.
- -sha256 : the hashing algorithm "SHA256" is used.
- -extfile server_cert_ext.cnf : the extension file "server_cert_ext.cnf", the creation of which is explained in the section Prerequisites for generating a PKCS12 certificate section, is used for defining certificate extensions. If not specified, per default the certificate is generated with a
basicConstraints=CA:TRUEextension, leading to creation of a CA (Certificate Authority) certificate instead of an end-entity certificate.
-
Detailed documentation about the
openssl x509command can be found in the OpenSSL documentation for x509 parameter.