openssl req -new with some default subj values

Solution 1:

You can do it on the command line with read and using the result variable in your openssl command:

read -p "FQDN? " cn; openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $cn.key -subj "/CN=$cn\/emailAddress=admin@$cn/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit" -out $cn.csr

If this is something you do often, make it a function and add it to your .bashrc file, which allows you to replace the prompt with an argument:

function csr { openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $1.key -subj "/CN=$cn\/emailAddress=admin@$1/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit" -out $1.csr }

Then envoke it whenever you need to like so:

csr example.com

The following openssl.conf file does almost the same thing:

[req]
default_bits=2048
encrypt_key=no
default_md=sha256
distinguished_name=req_subj
[req_subj]
commonName="Fully Qualified Domain Name (FQDN)"
emailAddress="Administrative Email Address"
countryName="Country Name (2 letter code)"
countryName_default=US
stateOrProvinceName="State Name (full name)"
stateOrProvinceName_default=Ohio
localityName="Locality Name (e.g., city)"
localityName_default=Columbus
organizationName="Organization Name (e.g., company)"
organizationName_default=Widgets Inc
organizationalUnitName="Organizational Unit Name (e.g., section)"
organizationalUnitName_default=Some Unit

Then either set your OPENSSL_CONF environment variable to that file

export $OPENSSL_CONF=~/.dotfiles/openssl.conf

or specify it via switch on the CLI

openssl req -new -config openssl.conf -keyout example.key -out example.csr

I say almost because it still prompts you for those attributes, but they're now the default so you can just hammer the Return key to the end after specifying the domain and your email.

Solution 2:

I'm not sure if there's a way to do that from only command line values. I have always used the config file to accomplish this. For example the entries to set the defaults in your config might look like:

policy = policy_anything

# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
commonName = supplied
name = optional
emailAddress = optional

####################################################################
# request handling

[ req ]
default_bits = 2048
default_keyfile = private/key.pem
default_md = default
distinguished_name = standard_dn

####################################################################
# DN (Subject) handling

[ standard_dn ]

countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California

localityName = Locality Name (eg, city)
localityName_default = Beverily Hills

commonName = Common Name (eg, YOUR name)
commonName_default = John Smith
commonName_max = 64

emailAddress = Email Address
emailAddress_default = [email protected]
emailAddress_max = 64