OpenSSL: How to create a certificate with an empty subject DN?

openssl x509

Is it possible to create a PKCS#10 certificate request / X.509 certificate with the identifying information only in the subject alternate name attribute/extension? According to X.509 4.1.2.6 Subject, the subject can be empty for a certificate whose subject is not a CA as long as the subjectAltName is critical.

But when I use this config file with an empty distinguished_name section:

# request.config
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:[email protected]

and commands

openssl genrsa 1024 > key.pem
openssl req -new -key key.pem -out req.pem -config request.config

OpenSSL complains:

error, no objects specified in config file
problems making Certificate Request

Solution 1:

This worked for me:

test-no-cn.cnf file

[req] 
default_bits       = 4096
encrypt_key        = no
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:[email protected],URI:http://example.com/,IP:192.168.7.1,dirName:dir_sect

[dir_sect]
C=DK
O=My Example Organization
OU=My Example Unit
CN=My Example Name

Generate the CSR

openssl req -new -newkey rsa:4096 -nodes -config test-no-cn.cnf -subj "/" -outform pem -out test-no-cn.csr -keyout test-no-cn.key

Sign the CSR

openssl x509 -req -days 365 -in test-no-cn.csr -signkey test-no-cn.key -out test-no-cn.crt -outform der -extensions v3_req -extfile test-no-cn.cnf

View the resulting certificate

openssl x509 -inform der -in test-no-cn.crt -noout -text

Solution 2:

I also ran into this "no objects specified" error. It was displaying a prompt like this for various fields:

US []:

And I was just pressing enter because I had already set these values in the .cnf file. It turns out I needed to type all the values again, and then it worked.

Solution 3:

The problem is with prompt = no in the original config. That makes openssl req assume you intend to specify subject entries in the config file and hits a preliminary check in req.c.

There's a workaround: Remove prompt = no, and instead add -subj / to your openssl req command line. Here's an example script that produces both a CSR and a self-signed certificate:

cat > openssl.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:[email protected]
EOF
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -out req.csr
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -x509 -out cert.crt

Solution 4:

Try "commonName = optional" in policy sections in openssl configuration file.

Related

Copying from one file to another using nano editor
Can't install Parallels Tools on Debian 7.2.0
Remap keys without xmodmap or any X tools
No such file or directory after typing $PATH in terminal
Is serial port a 'male' or 'female'?
When /tmp/wifi-*.log will show up and how can I stop it?
In Windows Explorer, why can we create a folder or file with the percent (%) symbol, if the percent symbol is used for existing variables?
Multiple Installations and Understanding $PATH
permission denied on AWS Transfer on SFTP server
What is this blank white box in pgAdmin 4
Do "Natural" keyboards make it harder to use standard keyboards?
Inverse ARP lookup