is it possible making openssl skipping the country/common name prompts?

thanks to @indiv

according to this guide -subj is the way to go, e.g.

-subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'

Another solution consists of using the prompt = no directive in your config file.
See OpenSsl: Configuration file format

prompt

if set to the value no this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the distinguished_name and attributes sections.

There are two separate formats for the distinguished name and attribute sections.

If the prompt option is set to no then these sections just consist of field names and values: for example,

 CN = My Name
 OU = My Organization
 emailAddress = [email protected]

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req.

Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

 fieldName="prompt"
 fieldName_default="default field value"
 fieldName_min= 2
 fieldName_max= 4

Generate a config file and in the [req] section you can put prompt = no.

For example:

[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Our Company Llc
#OU = Org Unit Name
CN = Our Company Llc
#emailAddress = [email protected]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com

Then just execute e.g.

openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr

A mixed approach is not supported

It may be intuitive to think that a mixed approach is possible, where you may think of putting some static fields in openssl.cnf and specify some (CN) via -subj option. However, that does not work.

I tested a scenario where I

  • put C, ST, L, O and OU in the openssl.cnf section req_distinguished_name and
  • ran openssl req with -subj=/CN=www.mydom.com.

openssl complained that mandatory Country Name field is missing and the generated certificate just had CN in the subject line. Seems like -subj option completely overrides the subject line and does not allow updating a single field.

This makes all following three approaches of supplying subject fields exclusive to each other:

  • Prompts
  • config file
  • -subj option

The -batch optional parameter causes the openssl req command to not prompt for any of the information fields. I use it this way without an explicit config file for automation of self-signed certs.

It is listed in the help:

openssl help req
...
...
-batch              Do not ask anything during request generation