I need to get SSL certificates reissued for about 30 of my clients. I was hoping for an easy way to get the contents of their currents CSRs, pipe them in to openssl req -new ... and generate a whole new set of CSRs and new keys. I saw on the openssl man page that you can do openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem but this expects key.pem to already be created.
Can anyone help with a way to do this other than viewing the contents of each individual cert and copy-n-pasting in to the new request?
Thanks!
Best Answer
The point of the re-keying exercise is to make a new private/public key pair. The
key.pemfile referenced in that command is your new private key.You can create it with the
openssl genrsa 2048 > newkey.pemcommand. You'll probably want to substitute the modulus (key size) you're currently using rather than just blindly using 2048. You can get the modulus of the current cert, if you so choose, with theopenssl x590 -noout -modulus -in current.crtcommand. Counting the number of hex digits after the "=" in the output, and multiply that count by 4 to get the number of bits.Once you've generated a new private key then you can use the
openssl x509 -x509toreqcommand to generate a new CSR.Edit:
I assumed you wouldn't be the only person looking for this and did some searching. I came with this very reasonable looking script to re-key and generate CSRs from the command-line.