> On 30 Jan 2020, at 21:38, Douglas Morris via openssl-users
> <openssl-users@openssl.org> wrote:
>
> I am trying to implement automated domain certificate renewal. A certificate
> signing request is sent to an ACME server and on success a certificate is
> returned. I'd like to be able to call OpenSSL to make a new key and then make
> a new certificate signing request just like the old one except for the
> replacement key pair file.
>
> I suppose the complete information beyond the new key data is available both
> in the old crs and the old certificate. I'm looking at the manpages of
> OpenSSL subcommands 'req' and 'x509'. The openssl x509 option '-x509toreq'
> gave me a momentary rush of hope, but then I read about the '-signkey'
> option, which seems to be exclusively about self-signing.
>
> Is 'cloning' the csr or cert. information semantically logical? Is it
> possible with OpenSSL?
>
> If I can't reliably extract the relevant data from the old csr or old
> certification, I suppose I must do it as usual with a dedicated config file
> and the '-batch' option:
> openssl req -key <key> -new -config <config.ini> -outform PEM -out
> <outfile> -batch
openssl x509 -x509toreq should do the trick
E.g.
# generate test cert
openssl req -x509 -new -subj /CN=foo -nodes -keyout x.key > x.crt
openssl x509 -in x.crt -noout -text
# turn test cert in a request
openssl x509 -x509toreq -signkey x.key < x.crt
Dw
