Why does generating a self-signed X509 certificate not require my public key?
The private key is the secret that identifies you, any signing or verification of your specific identity need the private key. So any operations that will generate something meant to be derived from your identity will require it.
Also, you are not creating a certificate here, you are creating a certificate signing request, something you would hand to another party to whom would then generate the certificate to grant you access.
If you want to create a self-signed x509 certificate you should add the -x509 parameter, something like this:
openssl req -x509 -nodes -days 5000 -newkey rsa:2048 -keyout mypem.key -out mycert.crt
- where days are how long the cert is valid (5000 is effectively indefinite)
- nodes skips password business (skip for testing, omit for anything real)
- and also output the key and cert for later use
And @bartonjs is correct, private key to public key is possible, public key to private key is not. That’s why you can hand out the public key and no one can use that to impersonate you. The private key must be secret at all times.
If you are planning to act as the client wishing to gain access to the server and also the server granting the request you will first need to set up your certificate authority on the server, and the server’s certificates.
Someone on Stack Overflow has a great answer on this already:
But the basic juiste is, you set up the CA and crt of the server then you do something like this on the server:
openssl x509 -req -days 30 -in request.csr -CA ca.crt -CAcreateserial -CAkey ca.key -out signedrequest.crt
You hand the “signedrequest.crt” back to the person who requested it.
I forgot to mention, get rid of -nodes in my command above, it skips the password process. Good for testing, Bad for security. Just FYI.