is it possible making openssl skipping the country/common name prompts?
thanks to @indiv
according to this guide -subj
is the way to go, e.g.
-subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
Another solution consists of using the prompt = no
directive in your config file.
See OpenSsl: Configuration file format
prompt
if set to the value
no
this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of thedistinguished_name
andattributes
sections.
There are two separate formats for the
distinguished name
andattribute
sections.
If the prompt option is set to
no
then these sections just consist of field names and values: for example,
CN = My Name
OU = My Organization
emailAddress = [email protected]
This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to
req
.
Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:
fieldName="prompt"
fieldName_default="default field value"
fieldName_min= 2
fieldName_max= 4
Generate a config file and in the [req] section you can put prompt = no.
For example:
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Our Company Llc
#OU = Org Unit Name
CN = Our Company Llc
#emailAddress = [email protected]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
Then just execute e.g.
openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr
A mixed approach is not supported
It may be intuitive to think that a mixed approach is possible, where you may think of putting some static fields in openssl.cnf and specify some (CN) via -subj
option. However, that does not work.
I tested a scenario where I
- put C, ST, L, O and OU in the openssl.cnf section
req_distinguished_name
and - ran
openssl req
with-subj=/CN=www.mydom.com
.
openssl complained that mandatory Country Name field is missing and the generated certificate just had CN in the subject line. Seems like -subj
option completely overrides the subject line and does not allow updating a single field.
This makes all following three approaches of supplying subject fields exclusive to each other:
- Prompts
- config file
-
-subj
option
The -batch
optional parameter causes the openssl req
command to not prompt for any of the information fields. I use it this way without an explicit config file for automation of self-signed certs.
It is listed in the help:
openssl help req
...
...
-batch Do not ask anything during request generation