Avoid password prompt for keys and prompts for DN information

openssl ssl-certificate prompt x509

116,717

Solution 1

Edit: This is by far my most popular answer, and it's been a few years on now so I've added an ECDSA variant. If you can use ECDSA you should.

You can supply all of that information on the command line.

One step self-signed password-less certificate generation:

RSA Version

openssl req \
    -new \
    -newkey rsa:4096 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout www.example.com.key \
    -out www.example.com.cert

ECDSA version

openssl req \
    -new \
    -newkey ec \
    -pkeyopt ec_paramgen_curve:prime256v1 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout www.example.com.key \
    -out www.example.com.cert

All of the openssl subcommands have their own man page. See man req.

Specifically addressing your questions and to be more explicit about exactly which options are in effect:

The -nodes flag signals to not encrypt the key, thus you do not need a password. You could also use the -passout arg flag. See PASS PHRASE ARGUMENTS in the openssl(1) man page for how to format the arg.
Using the -subj flag you can specify the subject (example is above).

Solution 2

Doesn't -passin option do the trick for you?

With file:pathname form you can be quite safe with permissions 600 for that file.

Solution 3

The accepted answer needs a couple of small corrections. EC Lines:

-newkey ec
-pkeyopt ec_paramgen_curve:prime256v1

should be:

 -newkey ec \
 -pkeyopt ec_paramgen_curve:prime256v1 \

On MacOS - OpenSSL 1.0.2f installed via brew I verified the the accepted answer as described below

To list available Elliptic curves:
```
$ openssl ecparam -list_curves
```

To generate a key file:

$ openssl ecparam -name secp256k1 -out secp256k1.pem

To generate the cert without password prompt:

openssl req \
    -new \
    -newkey ec:secp256k1.pem \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=US/ST=FL/L=Ocala/O=Home/CN=example.com" \
    -keyout server.key \
    -out server.crt

To view the cert:

$ openssl x509 -noout -text -in server.crt

Solution 4

Try the following command:

openssl genrsa -des3 -out user.key -passout pass:foo 1024

The skipping part is: -passout pass:foo.

Solution 5

@bahamat has a great answer. Unfortunately some versions of openssl throw an error when trying to create an ECDSA certificate with one command. The error goes something like:

routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404

I was using openssl 1.0.1e-fips on CentOS 7.

Creating your certificate with the following 3 commands seems to work:

openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem

View more solutions

116,717

jww

Updated on September 17, 2022

Comments

jww over 1 year

I am using following code to generate keys:

apt-get -qq -y install openssl;
mkdir -p /etc/apache2/ssl;
openssl genrsa -des3 -out server.key 1024;
openssl req -new -key server.key -out server.csr;
cp server.key server.key.org;
openssl rsa -in server.key.org -out server.key;
openssl x509 -req -days 12000 -in server.csr -signkey server.key -out server.crt;
mv server.crt  /etc/apache2/ssl/cert.pem;
mv server.key  /etc/apache2/ssl/cert.key;
rm -f server.key.orig;
rm -f server.csr

I have two questions:

How can I skip the passphrase prompting? Would it be reasonably safe for me to do so? (as in it should not be downright foolish like anyone should be able to hack the certificate)
How do I avoid the prompting for the country name, organization etc. I hope I can give them on command prompt (the man page shows only top level options for OpenSSL)

Jason over 13 years

Saw the option in man page. Looks like I can have the passphrase that way without prompting. Thanks!
oberstet about 12 years

Reading stuff via "-subj" works great, however - for me - only when OPENSSL_CONF is NOT set. IOW: if OPENSSL_CONF is set, OpenSSL will try reading from there, and ignore "-subj" command line argument. Took me a while to figure out.
bahamat about 12 years

oberstet: Yes, that is true.
oberstet about 12 years

Is it possible to pass the subject key itself from stdin? I have tried "-key stdin", "-key fd:1" and "-key -" .. with no luck.
oberstet about 12 years

I have split out the Q: superuser.com/questions/407874/…
Cerin over 10 years

Does this support a wildcard?
bahamat over 10 years

If you mean a wildcard CN, it should. Although I haven't tried it.
Jeremy Baker almost 9 years

Is it possible to specify the -CA and -CAkey options in this single step command? I'd like to sign it using my CA files.
bahamat almost 9 years

@JeremyBaker: No, you'll need a two step process for that. Omit the -x509 and -days to generate a CSR instead of a certificate then use your usual CA signing method.
Ramhound almost 8 years

How is this different from the accepted answer?
Andrei Sura almost 8 years

The only important difference is that I explicitly list the step of generating the pem file. The accepted answer is missing the two \ characters and it made me think that the command is incorrect.
Ramhound almost 8 years

You might want to mention that fact. If the accepted answer is indeed incomplete, and is missing characters, important to highlight the differences and how your answer contains important significant information.
ᴠɪɴᴄᴇɴᴛ over 7 years

Shouldn’t the last line end with server.crt?
jww over 7 years

This is not quite correct: -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" You can't [properly] set the server's name from the command line. To place the server name in the Subject Alternate Name, you must use a OpenSSL configuration file. Otherwise, the server name is placed in the Common Name and the certificate will not validate under browsers.
bahamat over 7 years

@jww SAN is not required. Browsers will validate the subject CN just fine. Subject Alternate Name, as its name implies is an alternate name for the subject field.
jww over 7 years

@bahamat - Citation, please. Here's the document that tells us the SAN is required: CA/Browser forum Baseline Requirements; section 7.4. the same document tells us the CN is deprecated but not forbidden (yet).
Insomniac Software about 7 years

@jww - and that time has come. Starting with Chrome v58, when attempting to load a secure page but the certificate doesn't contain a matching subjectAltName, it shows a privacy error page with the error message "NET::ERR_CERT_COMMON_NAME_INVALID". Clicking on the advanced button shows the message "... its security certificate is from [missing_subjectAltName]"
Luca Piciullo over 5 years

And with -passin 'pass:YOUR_PASSWORD'? - doc: openssl.org/docs/man1.0.2/apps/…
Redzarf over 4 years

The state of denial is a nice touch :-)
grove over 3 years

What is foo ?
Admin almost 2 years

@ChamindaBandara foo is an example password for demonstration