Generate CSR from existing certificate

Question

Can we generate the CSR (certificate signing request) used for certificate signing from the signed certificate? It should work with the original private key when signed again with different authority.

Original requirement is to generate the CSR without private key. — NPC, Jun 09 '16 at 14:20

Otheus · Answer 1 · 2022-04-07T11:18:19.197

29

What the user literally asked and actually wanted are slightly different things. Here is how to get what the user asked for. Hat tip

openssl x509 -x509toreq -in $SITENAME.crt -signkey $SITENAME.key -out $SITENAME-new.csr

This uses the all the certificate meta-information and the existing key from the existing certificate to create a new CSR. The new CSR must be sent to the new provider.

Note: it is seen as somewhat of a risk to re-use the same key over very long periods of time. However, given that certificates must be renewed every year or two years, while a 2048-bit key should be secure through 2030. This assumes your site has not been compromised in anyway and that the key was not leaked due to the various vulnerabilities found in SSL in the last ten years.

For SNI: With hat-tip to "shams.haq" (unverified), with openSSL 3+:

openssl x509 -x509toreq  -copy_extensions copyall -in $SITENAME.crt -signkey $SITENAME.key -out $SITENAME-new.csr

edited Apr 07 '22 at 11:18

answered May 22 '20 at 10:20

Otheus

607
5
8

1

It would appear this method does not carry along the alternative names. – DustWolf Jul 09 '21 at 14:18
@DustWolf True true. I worked up a script to this, but lost it -- it's a bit complicated. It can still be done in one line. – Otheus Jul 26 '21 at 17:14
3

With openssl 3.0.0 you can use 'copy_extensions' option to get the alternative names carried over. [https://www.openssl.org/docs/manmaster/man1/openssl-x509.html#copy_extensions-arg ] Example : openssl x509 -x509toreq -copy_extensions copyall -inform DER -in myapp_cert.cer -signkey my_private.key -out myapp-new.csr – shams.haq Oct 20 '21 at 01:01
Great tip @shams.haq ... very useful for renewals ;) ... for newer MacOS versions that ship `LibreSSL` instead of the actual `OpenSSL` you can install with homebrew `brew install openssl@3` and then force link it via `brew link --force openssl` and in a new terminal session or if you source your profile it should work...if it doesn't you can link it directly via PATH like `export PATH="/usr/local/opt/openssl@3/bin:$PATH"` and then the very useful `openssl x509 -x509toreq -copy_extensions copyall -in $SITENAME.crt -signkey $SITENAME.key -out $SITENAME-new.csr` functions as expected. – TryTryAgain Jun 16 '22 at 19:22

score 19 · Answer 2 · answered Jan 27 '16 at 21:39

19

Using OpenSSL, this is what you would do:

$ openssl req -out codesigning.csr -key private.key -new

Where private.key is the existing private key.

As you can see you do not generate this CSR from your certificate (public key). Also you do not generate the "same" CSR, just a new one to request a new certificate.

As per your comment, if you do not have access to the existing private key then you can create a new private key and CSR:

$ openssl req -out codesigning.csr -new -newkey rsa:2048 -nodes -keyout private.key

The end results remain the same, you get a CSR and issue a new certificate.

answered Jan 27 '16 at 21:39

Florian Bidabé

703
4
10

As mentioned in the question, i do not have access to private key, but i want newly generated certificate to work with existing private key. – NPC Jan 28 '16 at 21:42
All right, then your last chance is to find the CSR that was generated with this Private key. If you have lost our don't have access to this CSR, you are in a dead end. – Florian Bidabé Jan 28 '16 at 21:45
Also, as the owner of the remote device, you can either download a new CSR that the device generated for you, or regenerate a private key and CSR. If you cannot connect to this device and do not have access to the existing private key, then you cannot generate a new CSR, therefore you cannot re-issue a new certificate. The only issue that remains here is that you are either locked out of your own device or do not own this device. – Florian Bidabé Jan 28 '16 at 23:17
how to keep the same public key for the new csr ? do we need to use same private key for generation, or need anything other than this? please help – ɹɐqʞɐ zoɹǝɟ Jun 08 '17 at 11:54
1

(4 year later) @ɹɐqʞɐzoɹǝɟ The private key can be anything (same one or new). The issuer does not know about it and does not care. It is however good idea and opportunity to use a new key, just in case old one could have been compromised. – FractalSpace Apr 15 '21 at 17:51

dr_ · Answer 3 · 2015-10-31T14:00:42.680

8

Yes, as long as you have the private key, you can re-issue a new CSR by copying the fields (Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address) from the existing certificate to the CSR.

Edited from my comment: If you don't own the private key anymore you cannot generate a CSR. The private key is required in order to verify the identity of the requester (you) via digital signature; otherwise it would be trivial to generate CSRs - and then certificates - with fake credentials, and spoof any existing entity.

edited Oct 31 '15 at 14:00

answered Oct 30 '15 at 10:40

dr_

5,060
4
19
30

1

I do not have access to the private key to generate the CSR, as it is in the remote device and I can only apply new certificate. Currently I have is only existing certificate. – NPC Oct 30 '15 at 12:48
1

You need to copy Subject DN (which can be a subset of the fields you listed) AND PUBLIC KEY, and sign the result. Note you don't need to write any code with (tagged) openssl since `openssl x509 -x509toreq` already does this. But as you say it needs privatekey to sign. – dave_thompson_085 Oct 30 '15 at 20:29
1

Hi Vaibhav, what sort of "remote device" is that ? Some appliance generate a private key and CSR then offer you to download the CSR. (they keep their private key secure but not providing access to it) – Florian Bidabé Jan 27 '16 at 21:41
4

+1 I agree that you need to prove possession of the private key in a csr, but I don't agree with your reason why: "otherwise it would be trivial to generate CSRs ... spoof any existing entity." - So I manage to get a cert that I don't have the private key for...how is that any different from grabbing the cert for `google.com` from my browser? It's fine that I have it because won't be able to actually use the cert for anything. – Mike Ounsworth Jan 27 '16 at 22:27
3

" as long as you have the private key, you can re-issue a new CSR by copying the fields ... from the existing certificate to the CSR." Yes, how do you do that, from the command line? – Otheus Apr 20 '16 at 13:07
For completeness: the CSR might also contain subject alternate names, x509 extensions, etc. Generating, for example, a openssl.cnf file that will reproduce most of that (I don't think a CA will give you a certificate that is valid retroactively) is definitely possible, but probably tedious. – Ulrich Schwarz Aug 24 '17 at 13:04
1

@Otheus: (necroed?) see my comment from Oct. '15: `openssl x509 -x509toreq – dave_thompson_085 May 02 '19 at 02:42

Generate CSR from existing certificate

3 Answers3

Linked