Red Hat DocumentationFuse ESBToggle FramesPrintFeedback

The req Utility

Purpose of the req utility

The req utility is used to generate a self-signed certificate or a certificate signing request (CSR). A CSR contains details of a certificate issued by a CA. When creating a CSR, the req utility prompts you for the necessary information to produce a certificate request file and an encrypted private key file. The certificate request is then submitted to a CA for signing.

If the -nodes (no DES) parameter is not supplied to req, you are prompted for a pass phrase which is used to protect the private key.


It is important to specify a validity period (using the -days parameter). If the certificate expires, applications using that certificate will not be authenticated successfully.


The options supported by the openssl req utility are as follows:

-inform arg

input format - one of DER TXT PEM


arg output format - one of DER TXT PEM

-in arg

inout file

-out arg

output file


text form of request


do not output REQ


verify signature on REQ


RSA modulus


do not encrypt the output key

-key file

use the private key contained in file

-keyform arg

key file format

-keyout arg

file to send the key to

-newkey rsa:bits

generate a new RSA key of ‘bits’ in size

-newkey dsa:file

generate a new DSA key, parameters taken from CA in ‘file’


Digest to sign with (md5, sha1, md2, mdc2)

-config file

request template file


new request


output an x509 structure instead of a certificate req. (Used for creating self signed certificates)


number of days an x509 generated by -x509 is valid for


by default, the req command generates the correct PKCS#10 format for certificate requests that contain no attributes. However, certain CAs only accept requests containing no attributes in an invalid form: this option produces this invalid format.

Using the req Utility

To create a self-signed certificate with an expiry date a year from now, the req utility is used to create the certificate CA_cert.pem and the corresponding encrypted private key file CA_pk.pem, as follows:

openssl req -config ssl_conf_path_name -days 365 
            -out CA_cert.pem -new -x509 -keyout CA_pk.pem

This following command creates the certificate request MyReq.pem and the corresponding encrypted private key file MyEncryptedKey.pem:

openssl req -config ssl_conf_path_name -days 365
            -out MyReq.pem -new -keyout MyEncryptedKey.pem
Comments powered by Disqus