It can be used for The validity period is set on the CA under the configuration of the certificate template. The -verify switch checks the signature of the file to make sure it hasn't been modified. $ openssl genrsa -out example.com.key 4096 $ openssl req -new -sha256 -key example.com.key -out example.com.csr. Tuesday April 17th, 2018 at 08:03 PM. You will notice that the -x509 , -sha256 , and -days parameters are missing. DESCRIPTION. openssl genrsa -out bookstyle.key 2048 openssl req -new -key bookstyle.key -out bookstyle.csr -config bookstyle.cnf. openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" openssl x509 -in cert.pem -addtrust clientAuth \ -setalias "Steve's Class 1 CA" -out trust.pem NOTES. Generating RSA Key Pairs. The commit adds an example to the openssl req man page:. You request the certificate the CA determines the length the certificate will be valid. OpenSSL is a cryptography toolkit implementing the Transport Layer Security (TLS v1) network protocol, as well as related cryptography standards.. openssl req -text -in yourdomain.csr -noout -verify. JD says: Reply. Sign a certificate request: openssl ca -in req.pem -out newcert.pem Sign a certificate request, using CA extensions: openssl ca -in req.pem -extensions v3_ca -out newcert.pem Generate a CRL openssl ca -gencrl -out crl.pem Sign several requests: openssl ca -infiles req1.pem req2.pem req3.pem Certify a Netscape SPKAC: openssl ca -spkac spkac.txt Running this command provides you with the following output: verify OK Certificate Request… You can create RSA key pairs (public/private) from PowerShell as well with OpenSSL. OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. More information on creating RSA keys is available on the man page of genrsa, and more information on creating Certificate Signing Requests is available in the man page of req. Convert a certificate to a certificate request: openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem Convert a certificate request into a self signed certificate using extensions for a CA: openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \ -signkey key.pem … Check man req for more information. I expect something like this, but I cannot find it anywhere in the docs. openssl x509 -req -in client.csr -signkey client.key -passin pass:clientPK -CA client-ca.crt -CAkey client-ca.key -CAkeypassin pass:client-caPK <-- does not work -CAcreateserial -out client.crt -days 365 See the highlighted parameter. The openssl program is a command line tool for using the various cryptography functions of openssl's crypto library from the shell.. Corrected openssl req -new -out MyFirst.csr. $ openssl asn1parse