Avoid password prompt for keys and prompts for DN information
I am using following code to generate keys:
apt-get -qq -y install openssl;
mkdir -p /etc/apache2/ssl;
openssl genrsa -des3 -out server.key 1024;
openssl req -new -key server.key -out server.csr;
cp server.key server.key.org;
openssl rsa -in server.key.org -out server.key;
openssl x509 -req -days 12000 -in server.csr -signkey server.key -out server.crt;
mv server.crt /etc/apache2/ssl/cert.pem;
mv server.key /etc/apache2/ssl/cert.key;
rm -f server.key.orig;
rm -f server.csr
I have two questions:
How can I skip the passphrase prompting? Would it be reasonably safe for me to do so? (as in it should not be downright foolish like anyone should be able to hack the certificate)
How do I avoid the prompting for the country name, organization etc. I hope I can give them on command prompt (the man page shows only top level options for OpenSSL)
Solution 1:
Edit: This is by far my most popular answer, and it's been a few years on now so I've added an ECDSA variant. If you can use ECDSA you should.
You can supply all of that information on the command line.
One step self-signed password-less certificate generation:
RSA Version
openssl req \
-new \
-newkey rsa:4096 \
-days 365 \
-nodes \
-x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-keyout www.example.com.key \
-out www.example.com.cert
ECDSA version
openssl req \
-new \
-newkey ec \
-pkeyopt ec_paramgen_curve:prime256v1 \
-days 365 \
-nodes \
-x509 \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-keyout www.example.com.key \
-out www.example.com.cert
All of the openssl subcommands have their own man page. See man req
.
Specifically addressing your questions and to be more explicit about exactly which options are in effect:
The
-nodes
flag signals to not encrypt the key, thus you do not need a password. You could also use the-passout arg
flag. SeePASS PHRASE ARGUMENTS
in theopenssl(1)
man page for how to format the arg.Using the
-subj
flag you can specify the subject (example is above).
Solution 2:
Doesn't -passin
option do the trick for you?
With file:pathname
form you can be quite safe with permissions 600 for that file.
Solution 3:
The accepted answer needs a couple of small corrections. EC Lines:
-newkey ec
-pkeyopt ec_paramgen_curve:prime256v1
should be:
-newkey ec \
-pkeyopt ec_paramgen_curve:prime256v1 \
On MacOS - OpenSSL 1.0.2f installed via brew I verified the the accepted answer as described below
-
To list available Elliptic curves:
$ openssl ecparam -list_curves
-
To generate a key file:
$ openssl ecparam -name secp256k1 -out secp256k1.pem
-
To generate the cert without password prompt:
openssl req \ -new \ -newkey ec:secp256k1.pem \ -days 365 \ -nodes \ -x509 \ -subj "/C=US/ST=FL/L=Ocala/O=Home/CN=example.com" \ -keyout server.key \ -out server.crt
-
To view the cert:
$ openssl x509 -noout -text -in server.crt
Solution 4:
Try the following command:
openssl genrsa -des3 -out user.key -passout pass:foo 1024
The skipping part is: -passout pass:foo
.
Solution 5:
@bahamat has a great answer. Unfortunately some versions of openssl throw an error when trying to create an ECDSA certificate with one command. The error goes something like:
routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404
I was using openssl 1.0.1e-fips
on CentOS 7
.
Creating your certificate with the following 3 commands seems to work:
openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -key key.pem -out csr.pem -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"
openssl req -x509 -days 365 -key key.pem -in csr.pem -out certificate.pem