How to change only the subject(CN) in existing csr

Solution 1

You cannot change anything in the request file, because it is a digitally signed message. If you change at least one bit there, you invalidate the signature. CA server will reject it.

What you can do:

1. generate a new CSR
2. instruct CA to ignore subject field and specify another one during certificate issuance (this procedure depends on CA software).

Solution 2

TL;DR:

Try this:

openssl req -in /your/csr/file.csr -out /your/csr/newfile.csr -subj "/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=newsubdomain.example.com"

More descriptive way:

If you describe the CSR with openssl command openssl req -in /your/csr/file.csr -noout -text you will see there are some sections in it:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=ID, ST=REDACTED, L=REDACTED, O=REDACTED, OU=REDACTED, CN=subdomain.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:00:11:

To get the current Subject part of your CSR, you can run this command: openssl req -in /your/csr/file.csr -noout -subject, and you will get this:

subject=/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=subdomain.example.com

You can change it to match your need by running this command:

openssl req -in /your/csr/file.csr -out /your/csr/newfile.csr -subj "/C=ID/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=newsubdomain.example.com"

Then voila! your have a new CSR with the same public key (the Subject Public Key Info section) with updated Subject part. You can always inspect your CSR again with the same command as above, but remember to specify the correct file (i.e. /your/csr/newfile.csr).

Author by

Swapnil More

Updated on July 03, 2022