Does signing of CSR by the same private key create self-signed certificate?

Question

I know how to create a self-signed certificate in a one command:

openssl req -x509 -newkey rsa:4096 \
-keyout my.key -passout pass:123456 -out my.crt \
-days 365 \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
-addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
-addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth

But I know another sequence:

• generate private key (openssl genrsa)
• generate CSR (openssl req -new)
• sign CSR with private key (openssl x509)

like:

 openssl genrsa -out my.key -passout pass:123456 2048

 openssl req -new \
   -key my.key -passin pass:123456 -out my.csr \
   -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal

 openssl x509 -req \
   -in my.csr -signkey my.key -passin pass:123456 -out my.crt \
   -days 3650 -CAcreateserial \
   -extensions v3_ca \
   -extfile <( \
     echo "[v3_ca]"; \
     echo "extendedKeyUsage=serverAuth"; \
     echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")

Does it create self-signed certificate functionally identical to above one-liner?

Answer 1

To shortly answer your question, yes.

Deepdive:

To understand this better, let me explain how the signing process works. - To sign a certificate, you'll need a ca and the ca cert file's private key or in the case of self signing you'll just need your key used for the CSR and set the CA to null (if it's required as a function) or not specifying any CA via command line.

The reason it's required for a private key and a crt file is to prevent unauthorized access to the CA or sub-CA's infrastructure. To learn more, I'd suggest either googling the topic or looking into one of the following links as they could be quite helpful for beginners. (Or advanced users! :P)

• https://opensource.com/article/19/6/cryptography-basics-openssl-part-1
• https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
• https://riptutorial.com/openssl
• https://jamielinux.com/docs/openssl-certificate-authority/
• https://www.simba.com/products/SEN/doc/Client-Server_user_guide/content/clientserver/configuringssl/signingca.htm
• https://www.youtube.com/watch?v=T4Df5_cojAs
• https://www.sslsupportdesk.com/what-are-self-signed-certificates-and-disadvantages/

Wishing you the best with your projects!

~ Nathanna

Answer 2

Does signing of CSR by the same private key create self-signed certificate?

NO. A certificate is not created by signing a CSR, although many people use this inaccurate description. A certificate is created by signing a certificate body which is NOT a CSR, although SOME of it is usually DERIVED from a CSR. You can see (and confirm) this by looking at the contents of the certificate body and of the CSR and seeing they are different.

Does it create self-signed certificate functionally identical to above one-liner?

Almost. The signing part, which you seem focussed on, is indeed identical; a self-signed cert is always signed with the 'same' key it contains, or more exactly the private half of the same keypair whose public half is in the cert. Both your methods do that. So would the other possible combinations: genrsa plus req -new -x509 -key using that key, and req [-new] -newkey -keyout generating a key and CSR and x509 -req -signkey signing a cert for that CSR, with that key. There are OTHER differences however which it appears you did not intend:

• Your first method generates 4096-bit RSA key; your second does 2048, but could easily be changed.
• Your first method sets the validity to 365 days; your second does 3650, but could easily be changed.
• Your first method puts SAN KU EKU PLUS any extensions in the config file for this case, which you didn't show; your second does SAN EKU only, but could be changed to include KU and any other(s) that were in the config.