Best IT Recipes

Is it possible that openssl is missing country / common name hints?

Is there any way to make openssl skip hints like

Country Name (2 letter code) [US]: Organization Name (eg, company) [My Company Name LTD.]: Common Name (eg, YOUR name) [something]:

When creating certificates with

 openssl req -config openssl.cnf -new -x509 ...

given the fact that these parameters are presented in the openssl.cnf file

eg.

 countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My Company Name LTD. commonName = Common Name (eg, YOUR name) commonName_max = 64 commonName_default = ${ENV::CN}
+70
openssl
Nov 10 '11 at 5:13
source share
4 answers

thanks @indiv

according to this guide -subj is a way for example

 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
+112
Nov 11 '11 at 8:41
source share

Another solution is to use the prompt directive in your configuration file.
See OpenSsl: Configuration File Format

prompt

if set to no , this disables the request for certificate fields and simply accepts values ​​from the configuration file directly. It also changes the expected format of the distinguished_name and attributes sections.

There are two different formats for the distinguished name and attribute sections.

If the prompt parameter is set to no , then these sections consist only of field names and values : for example,

  CN=My Name OU=My Organization emailAddress=someone@somewhere.org

This allows external programs (for example, based on a graphical interface) to generate a template file with all field names and values ​​and simply transfer it to req .

Alternatively, if the prompt parameter is absent or not set to no, then the file contains information about the field request. It consists of lines of the form:

  fieldName="prompt" fieldName_default="default field value" fieldName_min= 2 fieldName_max= 4
+30
Mar 12 2018-12-12T00:
source share

Create a configuration file, and in the [req] section you can set the prompt = no.

For example:

 [req] prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] C = US ST = California L = Los Angeles O = Our Company Llc #OU = Org Unit Name CN = Our Company Llc #emailAddress = info@example.com [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com

Then just do for example

 openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr
+11
Apr 08 '17 at 0:31
source share

Mixed approach not supported

It may be intuitive that a mixed approach is possible when you can think of putting some static fields in openssl.cnf and specifying some (CN) with the -subj option. However, this does not work.

I checked the script where I

  • put C, ST, L, O and OU in the openssl.cnf req_distinguished_name section and
  • ran openssl req with -subj=/CN=www.mydom.com .

openssl complained that the required field "Country Name" is missing, and CN was just in the subject line in the generated certificate. It seems that the -subj option completely overlaps the subject line and does not allow updating a single field.

This makes all of the following three approaches to providing subject fields exclusive to each other:

  • Asks for
  • configuration file
  • -subj option
+2
Aug 14 '19 at 9:30
source share


More articles:


All Articles