Sign certificate request error "Expecting trusted request"

Question

I tried to use openssl to sign cert request with my own CA. There are two options.

1. openssl x509.

   openssl X509 -req -CA ca.crt -CAkey ca.pem -in bob.csr -out bob.crt -CAcreateserial`
   

Some posts say x509 is used to generate self-signed certificates.

But error occurs using openssl X509:

unable to load certificate
6612:error:0906D06C:PEM routines:PEM_read_bio:no start       
line:.\crypto\pem\pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

2. openssl ca:

   openssl ca -in bob.csr -out bob.crt -keyfile ca.key
   

It needs to config openssl.config beforehand. E.g., create dir ./demoCA.

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

Answer 1

Please let me know which way is correct. If openssl x509 is correct, how to solve expecting trusted certificate error? Very appreciate!

You use openssl x509 to work with certificates. Since you don't have a certificate, you should not use openssl x509.

You use openssl req for signing requests. If you use just openssl req, then you create a signing request.

If you use openssl req -x509, then you create a self signed certificate. It forgoes the signing request and moves directly to the certificate.

If you need help becoming your own CA, then see How do you sign Certificate Signing Request with your Certification Authority?

If you need help with signing requests and well-formed certificates, then see How to create a self-signed certificate with openssl?.