LFCS Question #425: Real Exam Question with Answer & Explanation

The correct answer is A: openssl req new x509 key privkey.pem out cacert.pem days 365. A self-signed certificate can be generated using the openssl req command with the new and x509 options, specifying the private key and validity period.

Submitted by krish.m· Apr 18, 2026Service Configuration

Question

What openssl command will generate a selfsigned test certificate?

Options

Aopenssl req new x509 key privkey.pem out cacert.pem days 365
Bopenssl sign key privkey.pem out cacert.pem days 365
Copenssl req key privkey.pem out cacert.pem days 365
Dopenssl sign new x509 key privkey.pem out cacert.pem days 365

Explanation

A self-signed certificate can be generated using the openssl req command with the new and x509 options, specifying the private key and validity period.

Common mistakes.

B. There is no standard openssl sign subcommand for generating certificates; signing operations are typically handled by openssl x509 when acting as a CA, or by openssl req -x509 for self-signing.
C. This command is missing the crucial -x509 flag, which is required to instruct openssl req to produce a self-signed certificate instead of a Certificate Signing Request (CSR).
D. This option uses the non-existent openssl sign subcommand and incorrectly combines new with x509 in a non-standard syntax.

Concept tested. OpenSSL self-signed certificate generation

Reference. https://www.openssl.org/docs/manmaster/man1/req.html

Topics

#openssl#certificate generation#self-signed certificate#TLS/SSL

Community Discussion

No community discussion yet for this question.

Full LFCS Practice Browse All LFCS Questions