How to change only the subject(CN) in existing csr
Solution 1
You cannot change anything in the request file, because it is a digitally signed message. If you change at least one bit there, you invalidate the signature. CA server will reject it.
What you can do:
- generate a new CSR
- instruct CA to ignore subject field and specify another one during certificate issuance (this procedure depends on CA software).
Solution 2
TL;DR:
Try this:
openssl req -in /your/csr/file.csr -out /your/csr/newfile.csr -subj "/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=newsubdomain.example.com"
More descriptive way:
If you describe the CSR with openssl command openssl req -in /your/csr/file.csr -noout -text
you will see there are some sections in it:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=ID, ST=REDACTED, L=REDACTED, O=REDACTED, OU=REDACTED, CN=subdomain.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:00:11:
To get the current Subject
part of your CSR, you can run this command: openssl req -in /your/csr/file.csr -noout -subject
, and you will get this:
subject=/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=subdomain.example.com
You can change it to match your need by running this command:
openssl req -in /your/csr/file.csr -out /your/csr/newfile.csr -subj "/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=newsubdomain.example.com"
Then voila! your have a new CSR with the same public key (the Subject Public Key Info
section) with updated Subject
part. You can always inspect your CSR again with the same command as above, but remember to specify the correct file (i.e. /your/csr/newfile.csr
).
Swapnil More
Updated on July 03, 2022Comments
-
Swapnil More almost 2 years
I have a csr(Certificate Signing Request).
I have to just change the CN from that csr, leaving other fields intact. It is like updating the existing csr.
This should be done automatically. Is there any method to do this in c/c++/openssl?