发表新帖
发表新帖

is it possible making openssl skipping the country/common name prompts?

后端 未结
关注
5 1699
长情又很酷
长情又很酷 2021-01-31 13:05

Is there a way to make openssl skiping the prompts such as 

Country Name (2 letter code) [US]:
Organization Name (eg, company) [My Company Name LTD.]:
Common Nam
相关标签:
5条回答
  • 独厮守ぢ
    2021-01-31 13:34

    The -batch optional parameter causes the openssl req command to not prompt for any of the information fields. I use it this way without a config file for automation of self-signed certs.

    It is listed in the help:

    openssl help req
...
...
-batch              Do not ask anything during request generation
    0 讨论(0)
  • 醉梦人生
    2021-01-31 13:39

    Generate a config file and in the [req] section you can put prompt = no.

    For example:

    [req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Our Company Llc
#OU = Org Unit Name
CN = Our Company Llc
#emailAddress = info@example.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com

    Then just execute e.g.

    openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr
    0 讨论(0)
  • 佛祖请我去吃肉
    2021-01-31 13:49

    A mixed approach is not supported

    It may be intuitive to think that a mixed approach is possible, where you may think of putting some static fields in openssl.cnf and specify some (CN) via -subj option. However, that does not work.

    I tested a scenario where I

    • put C, ST, L, O and OU in the openssl.cnf section req_distinguished_name and
    • ran openssl req with -subj=/CN=www.mydom.com.

    openssl complained that mandatory Country Name field is missing and the generated certificate just had CN in the subject line. Seems like -subj option completely overrides the subject line and does not allow updating a single field.

    This makes all following three approaches of supplying subject fields exclusive to each other:

    • Prompts
    • config file
    • -subj option
    0 讨论(0)
  • 鱼传尺愫
    2021-01-31 13:55

    thanks to @indiv

    according to this guide -subj is the way to go, e.g.

    -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
    0 讨论(0)
  • 佛祖请我去吃肉
    2021-01-31 13:55

    Another solution consists of using the prompt = no directive in your config file.
    See OpenSsl: Configuration file format

    prompt

    if set to the value no this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the distinguished_name and attributes sections.

    There are two separate formats for the distinguished name and attribute sections.

    If the prompt option is set to no then these sections just consist of field names and values: for example,

     CN = My Name
 OU = My Organization
 emailAddress = someone@somewhere.org

    This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req.

    Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

     fieldName="prompt"
 fieldName_default="default field value"
 fieldName_min= 2
 fieldName_max= 4
    0 讨论(0)
 看不清?
提交回复
热议问题