How to sign a CSR with a local CA using OpenSSL

Signing a certificate signing request with a local certificate authority turns the requester's public key and subject into a certificate that chains to the local root. The risk is issuing a certificate that carries the wrong identity, lacks Subject Alternative Name entries, or accidentally looks like another CA.

The openssl x509 -req command can use a CA certificate and CA private key as a small signing authority for a CSR. It does not copy CSR extensions by default, so the issuer should write the final certificate extensions in an extension file instead of assuming requested CSR values will be included.

Keep the CA key protected, confirm the CSR subject before signing, and make the certificate purpose explicit with end-entity extensions. The issued certificate is ready only after openssl verify -CAfile returns OK and inspection shows CA:FALSE, the expected key usages, and the DNS or IP names clients will check.

Related: How to create a local certificate authority using OpenSSL
Related: How to create a CSR using OpenSSL

Steps to sign a CSR with a local CA using OpenSSL:

  1. Verify the CSR self-signature and subject before issuing the certificate. 
    $ openssl req -in www.example.com.csr -noout -subject -verify
Certificate request self-signature verify OK
subject=C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com

    CSR self-signature verification confirms the request was signed by the private key matching the embedded public key. It does not prove requester authorization or domain control.
    Tool: Certificate Signing Request (CSR) Decoder

  2. Save an extension file for a TLS server certificate that cannot sign other certificates. 
    [server_cert]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:www.example.com,DNS:example.com
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

    Do not issue server or client certificates with CA:TRUE unless the certificate is meant to sign other certificates.

  3. Sign the CSR with the local CA certificate and key. 
    $ openssl x509 -req -in www.example.com.csr -CA local-ca.crt -CAkey local-ca.key -CAcreateserial -out www.example.com.crt -days 397 -sha256 -extfile www.example.com.ext -extensions server_cert

    OpenSSL 3.5 writes no output for this command when signing succeeds. -CAcreateserial creates local-ca.srl if it does not already exist; keep the serial file with the CA material or use your CA's established serial-number process.

  4. Verify that the signed certificate chains to the local CA. 
    $ openssl verify -CAfile local-ca.crt www.example.com.crt
www.example.com.crt: OK

    Related: How to verify a certificate chain using OpenSSL

  5. Confirm the issued subject and local CA issuer. 
    $ openssl x509 -in www.example.com.crt -noout -subject -issuer
subject=C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com
issuer=C=US, O=Example Corp, CN=Example Local Root CA
  6. Inspect the end-entity extensions before installing the certificate. 
    $ openssl x509 -in www.example.com.crt -noout -ext basicConstraints,keyUsage,extendedKeyUsage,subjectAltName
X509v3 Basic Constraints: critical
    CA:FALSE
X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage: 
    TLS Web Server Authentication
X509v3 Subject Alternative Name: 
    DNS:www.example.com, DNS:example.com

    Install www.example.com.crt with the matching private key on the service. Distribute only local-ca.crt to clients that should trust certificates from this local CA.