> On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users > <openssl-users@openssl.org> wrote: > > I am trying to implement automated domain certificate renewal. A certificate > signing request is sent to an ACME server and on success a certificate is > returned. I'd like to be able to call OpenSSL to make a new key and then make > a new certificate signing request just like the old one except for the > replacement key pair file. > > I suppose the complete information beyond the new key data is available both > in the old crs and the old certificate. I'm looking at the manpages of > OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq' > gave me a momentary rush of hope, but then I read about the '-signkey' > option, which seems to be exclusively about self-signing. > > Is 'cloning' the csr or cert. information semantically logical? Is it > possible with OpenSSL? > > If I can't reliably extract the relevant data from the old csr or old > certification, I suppose I must do it as usual with a dedicated config file > and the '-batch' option: > openssl req -key <key> -new -config <config.ini> -outform PEM -out > <outfile> -batch
openssl x509 -x509toreq should do the trick E.g. # generate test cert openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt openssl x509 -in x.crt -noout -text # turn test cert in a request openssl x509 -x509toreq -signkey x.key < x.crt Dw