Signing a certificate signing request with a local certificate authority turns the requester's public key and subject into a certificate that chains to the local root. The risk is issuing a certificate that carries the wrong identity, lacks Subject Alternative Name entries, or accidentally looks like another CA.
The openssl x509 -req command can use a CA certificate and CA private key as a small signing authority for a CSR. It does not copy CSR extensions by default, so the issuer should write the final certificate extensions in an extension file instead of assuming requested CSR values will be included.
Keep the CA key protected, confirm the CSR subject before signing, and make the certificate purpose explicit with end-entity extensions. The issued certificate is ready only after openssl verify -CAfile returns OK and inspection shows CA:FALSE, the expected key usages, and the DNS or IP names clients will check.
Steps to sign a CSR with a local CA using OpenSSL:
- Verify the CSR self-signature and subject before issuing the certificate.
$ openssl req -in www.example.com.csr -noout -subject -verify Certificate request self-signature verify OK subject=C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com
CSR self-signature verification confirms the request was signed by the private key matching the embedded public key. It does not prove requester authorization or domain control.
Tool: Certificate Signing Request (CSR) Decoder - Save an extension file for a TLS server certificate that cannot sign other certificates.
[server_cert] basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = DNS:www.example.com,DNS:example.com subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer
Do not issue server or client certificates with CA:TRUE unless the certificate is meant to sign other certificates.
- Sign the CSR with the local CA certificate and key.
$ openssl x509 -req -in www.example.com.csr -CA local-ca.crt -CAkey local-ca.key -CAcreateserial -out www.example.com.crt -days 397 -sha256 -extfile www.example.com.ext -extensions server_cert
OpenSSL 3.5 writes no output for this command when signing succeeds. -CAcreateserial creates local-ca.srl if it does not already exist; keep the serial file with the CA material or use your CA's established serial-number process.
- Verify that the signed certificate chains to the local CA.
$ openssl verify -CAfile local-ca.crt www.example.com.crt www.example.com.crt: OK
- Confirm the issued subject and local CA issuer.
$ openssl x509 -in www.example.com.crt -noout -subject -issuer subject=C=US, ST=New York, L=New York, O=Example Corp, CN=www.example.com issuer=C=US, O=Example Corp, CN=Example Local Root CA
- Inspect the end-entity extensions before installing the certificate.
$ openssl x509 -in www.example.com.crt -noout -ext basicConstraints,keyUsage,extendedKeyUsage,subjectAltName X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:www.example.com, DNS:example.comInstall www.example.com.crt with the matching private key on the service. Distribute only local-ca.crt to clients that should trust certificates from this local CA.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
