Avoid password prompt for keys and prompts for DN information
Solution 1
Edit: This is by far my most popular answer, and it's been a few years on now so I've added an ECDSA variant. If you can use ECDSA you should.
You can supply all of that information on the command line.
One step self-signed password-less certificate generation:
RSA Version
openssl req \
-new \
-newkey rsa:4096 \
-days 365 \
-nodes \
-x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-keyout www.example.com.key \
-out www.example.com.cert
ECDSA version
openssl req \
-new \
-newkey ec \
-pkeyopt ec_paramgen_curve:prime256v1 \
-days 365 \
-nodes \
-x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-keyout www.example.com.key \
-out www.example.com.cert
All of the openssl subcommands have their own man page. See man req
.
Specifically addressing your questions and to be more explicit about exactly which options are in effect:
The
-nodes
flag signals to not encrypt the key, thus you do not need a password. You could also use the-passout arg
flag. SeePASS PHRASE ARGUMENTS
in theopenssl(1)
man page for how to format the arg.Using the
-subj
flag you can specify the subject (example is above).
Solution 2
Doesn't -passin
option do the trick for you?
With file:pathname
form you can be quite safe with permissions 600 for that file.
Solution 3
The accepted answer needs a couple of small corrections. EC Lines:
-newkey ec
-pkeyopt ec_paramgen_curve:prime256v1
should be:
-newkey ec \
-pkeyopt ec_paramgen_curve:prime256v1 \
On MacOS - OpenSSL 1.0.2f installed via brew I verified the the accepted answer as described below
To list available Elliptic curves:
$ openssl ecparam -list_curves
To generate a key file:
$ openssl ecparam -name secp256k1 -out secp256k1.pem
To generate the cert without password prompt:
openssl req \ -new \ -newkey ec:secp256k1.pem \ -days 365 \ -nodes \ -x509 \ -subj "/C=US/ST=FL/L=Ocala/O=Home/CN=example.com" \ -keyout server.key \ -out server.crt
To view the cert:
$ openssl x509 -noout -text -in server.crt
Solution 4
Try the following command:
openssl genrsa -des3 -out user.key -passout pass:foo 1024
The skipping part is: -passout pass:foo
.
Solution 5
@bahamat has a great answer. Unfortunately some versions of openssl throw an error when trying to create an ECDSA certificate with one command. The error goes something like:
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404
I was using openssl 1.0.1e-fips
on CentOS 7
.
Creating your certificate with the following 3 commands seems to work:
openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem
Related videos on Youtube
jww
Updated on September 17, 2022Comments
-
jww over 1 year
I am using following code to generate keys:
apt-get -qq -y install openssl; mkdir -p /etc/apache2/ssl; openssl genrsa -des3 -out server.key 1024; openssl req -new -key server.key -out server.csr; cp server.key server.key.org; openssl rsa -in server.key.org -out server.key; openssl x509 -req -days 12000 -in server.csr -signkey server.key -out server.crt; mv server.crt /etc/apache2/ssl/cert.pem; mv server.key /etc/apache2/ssl/cert.key; rm -f server.key.orig; rm -f server.csr
I have two questions:
How can I skip the passphrase prompting? Would it be reasonably safe for me to do so? (as in it should not be downright foolish like anyone should be able to hack the certificate)
How do I avoid the prompting for the country name, organization etc. I hope I can give them on command prompt (the man page shows only top level options for OpenSSL)
-
Jason over 13 yearsSaw the option in man page. Looks like I can have the passphrase that way without prompting. Thanks!
-
oberstet about 12 yearsReading stuff via "-subj" works great, however - for me - only when OPENSSL_CONF is NOT set. IOW: if OPENSSL_CONF is set, OpenSSL will try reading from there, and ignore "-subj" command line argument. Took me a while to figure out.
-
bahamat about 12 yearsoberstet: Yes, that is true.
-
oberstet about 12 yearsIs it possible to pass the subject key itself from stdin? I have tried "-key stdin", "-key fd:1" and "-key -" .. with no luck.
-
oberstet about 12 yearsI have split out the Q: superuser.com/questions/407874/…
-
Cerin over 10 yearsDoes this support a wildcard?
-
bahamat over 10 yearsIf you mean a wildcard CN, it should. Although I haven't tried it.
-
Jeremy Baker almost 9 yearsIs it possible to specify the
-CA
and-CAkey
options in this single step command? I'd like to sign it using my CA files. -
bahamat almost 9 years@JeremyBaker: No, you'll need a two step process for that. Omit the
-x509
and-days
to generate a CSR instead of a certificate then use your usual CA signing method. -
Ramhound almost 8 yearsHow is this different from the accepted answer?
-
Andrei Sura almost 8 yearsThe only important difference is that I explicitly list the step of generating the pem file. The accepted answer is missing the two \ characters and it made me think that the command is incorrect.
-
Ramhound almost 8 yearsYou might want to mention that fact. If the accepted answer is indeed incomplete, and is missing characters, important to highlight the differences and how your answer contains important significant information.
-
ᴠɪɴᴄᴇɴᴛ over 7 yearsShouldn’t the last line end with
server.crt
? -
jww over 7 yearsThis is not quite correct:
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
You can't [properly] set the server's name from the command line. To place the server name in the Subject Alternate Name, you must use a OpenSSL configuration file. Otherwise, the server name is placed in the Common Name and the certificate will not validate under browsers. -
bahamat over 7 years@jww SAN is not required. Browsers will validate the subject CN just fine. Subject Alternate Name, as its name implies is an alternate name for the subject field.
-
jww over 7 years@bahamat - Citation, please. Here's the document that tells us the SAN is required: CA/Browser forum Baseline Requirements; section 7.4. the same document tells us the CN is deprecated but not forbidden (yet).
-
Insomniac Software about 7 years@jww - and that time has come. Starting with Chrome v58, when attempting to load a secure page but the certificate doesn't contain a matching subjectAltName, it shows a privacy error page with the error message "NET::ERR_CERT_COMMON_NAME_INVALID". Clicking on the advanced button shows the message "... its security certificate is from [missing_subjectAltName]"
-
Luca Piciullo over 5 yearsAnd with
-passin 'pass:YOUR_PASSWORD'
? - doc: openssl.org/docs/man1.0.2/apps/… -
Redzarf over 4 yearsThe state of denial is a nice touch :-)
-
grove over 3 yearsWhat is
foo
? -
Admin almost 2 years@ChamindaBandara
foo
is an example password for demonstration