Non-interactive creation of SSL certificate requests
Solution 1
you are missing two part:
the subject line, which can be called as
-subj "/C=US/ST=New Sweden/L=Stockholm /O=.../OU=.../CN=.../emailAddress=..."
- replacing ... with value,
X=
being X509 code (Organisation/OrganisationUnit/etc ... )
the password value, which can be called as
-passout pass:client11
-passin pass:client11
- which give an output/input password
my calling for new key looks like
openssl genrsa -aes256 -out lib/client1.key -passout pass:client11 1024
openssl rsa -in lib/client1.key -passin pass:client11 -out lib/client1-nokey.key
openssl req -new -key lib/client1.key -subj req -new \
-passin pass:client11 -out lib/client1.csr \
-subj "/C=US/ST=New Sweden/L=Stockholm/O=.../OU=.../CN=.../emailAddress=..."
(now that I see it, there is two -new
... )
Solution 2
I append to my regular openssl command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem
This line:
-subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com"
Description:
- Country Name (2 letter code) [AU]:PE
- State or Province Name (full name) [Some-State]:Lima
- Locality Name (eg, city) []:Lima
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme Inc.
- Organizational Unit Name (eg, section) []:IT Department
- Common Name (e.g. server FQDN or YOUR name) []:acme.com
Use "/" like separator.
Solution 3
Check for -batch
option as described in the official docs.
Related videos on Youtube
dotancohen
I currently develop and support the backends of a few LAMP-stack based web applications for BSS (Business Support Services) that my company specializes in. I have experience in software project management, business process development, and I ran a software development business for a short time (actually twice). I have been using PHP since 1998 or '99, and I'm reasonably competent in the associated client-side technologies. I find myself using Python often, mostly for my own personal projects, I'm quite poetic in VIM, and of course Git is a cornerstone of my development. Lately I have been experimenting with machine learning, mostly with scikit-learn.
Updated on September 18, 2022Comments
-
dotancohen almost 2 years
Is there a way to create SSL cert requests by specifying all the required parameters on the initial command? I am writing a CLI-based web server control panel and I would like to avoid the use of expect when executing
openssl
if possible.This is a typical way to create a cert request:
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr Generating a 2048 bit RSA private key .................................................+++ ........................................+++ writing new private key to 'foobar.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New Sweden Locality Name (eg, city) []:Stockholm Organization Name (eg, company) [Internet Widgits Pty Ltd]:Scandanavian Ventures, Inc. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:foobar.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:FooBar
I am hoping to see something like this: (unworking example)
$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr \ -Country US \ -State "New Sweden" \ -Locality Stockholm \ -Organization "Scandanavian Ventures, Inc." \ -CommonName foobar.com \ -EmailAddress [email protected] \ -Company FooBar
The fine man page had nothing to say on the matter, nor was I able to find anything via Google. Must SSL cert request generation be an interactive process, or is there some way to specify all the parameters in a single command?
This is on a Debian-derived Linux distro running
openssl 1.0.1
.-
ceejayoz over 9 years
-
dotancohen over 9 years@ceejayoz: Very nice, thank you. א) Where are those
openssl
flags documented? ב) What did you google for to find that? Thank you! -
ceejayoz over 9 yearsI googled "CSR generate script". The
-subj
parameter is documented (not in much detail) at openssl.org/docs/apps/req.html. -
sebix over 9 yearsIt is also possible to create a config file, typically called
openssl.cnf
.
-
-
dotancohen over 9 yearsThank you. I see that the batch option exists, but there seems to be no explanation of how to use it.
-
dotancohen over 9 yearsWhy was this answer downvoted? Is batch not a possible solution to the issue? From the name, it sounds like it just might be.
-
eject over 9 yearsIt's definitely only way to do this with -batch option, why downvoted I have no idea. Statement "The fine man page had nothing to say on the matter" is false, because of "-batch" option.
-
dotancohen over 9 yearsUpvoted for mentioning batch, as even though I didn't use it in the solution it may come in handy in the future.
-
dotancohen over 5 yearsIt seems that the accepted answer already includes this information. Otherwise, thank you.
-
mustaccio almost 4 yearsThis answer doesn't seem to be very useful, as it doesn't explain how to use that option (neither does the doc). Using
-batch
without-subj
causes the command to fail, while using-subj
without-batch
works just fine, so it's unclear what benefit-batch
provides, if any. -
Mireodon over 3 yearsUpvoted since this answer better explains the data to put into the
-subj
line