3

I need to get SSL certificates reissued for about 30 of my clients. I was hoping for an easy way to get the contents of their currents CSRs, pipe them in to openssl req -new ... and generate a whole new set of CSRs and new keys. I saw on the openssl man page that you can do openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem but this expects key.pem to already be created.

Can anyone help with a way to do this other than viewing the contents of each individual cert and copy-n-pasting in to the new request?

Thanks!

Ken S.
  • 479
  • 5
  • 14

1 Answers1

6

The point of the re-keying exercise is to make a new private/public key pair. The key.pem file referenced in that command is your new private key.

You can create it with the openssl genrsa 2048 > newkey.pem command. You'll probably want to substitute the modulus (key size) you're currently using rather than just blindly using 2048. You can get the modulus of the current cert, if you so choose, with the openssl x590 -noout -modulus -in current.crt command. Counting the number of hex digits after the "=" in the output, and multiply that count by 4 to get the number of bits.

Once you've generated a new private key then you can use the openssl x509 -x509toreq command to generate a new CSR.

Edit:

I assumed you wouldn't be the only person looking for this and did some searching. I came with this very reasonable looking script to re-key and generate CSRs from the command-line.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331