is it possible making openssl skipping the country/common name prompts?

后端 未结 5 1709
长情又很酷
长情又很酷 2021-01-31 13:05

Is there a way to make openssl skiping the prompts such as

Country Name (2 letter code) [US]:
Organization Name (eg, company) [My Company Name LTD.]:
Common Nam         


        
相关标签:
5条回答
  • 2021-01-31 13:34

    The -batch optional parameter causes the openssl req command to not prompt for any of the information fields. I use it this way without a config file for automation of self-signed certs.

    It is listed in the help:

    openssl help req
    ...
    ...
    -batch              Do not ask anything during request generation
    
    0 讨论(0)
  • 2021-01-31 13:39

    Generate a config file and in the [req] section you can put prompt = no.

    For example:

    [req]
    prompt = no
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    
    [req_distinguished_name]
    C = US
    ST = California
    L = Los Angeles
    O = Our Company Llc
    #OU = Org Unit Name
    CN = Our Company Llc
    #emailAddress = info@example.com
    
    [v3_req]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = example.com
    DNS.2 = www.example.com
    

    Then just execute e.g.

    openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr
    
    0 讨论(0)
  • 2021-01-31 13:49

    A mixed approach is not supported

    It may be intuitive to think that a mixed approach is possible, where you may think of putting some static fields in openssl.cnf and specify some (CN) via -subj option. However, that does not work.

    I tested a scenario where I

    • put C, ST, L, O and OU in the openssl.cnf section req_distinguished_name and
    • ran openssl req with -subj=/CN=www.mydom.com.

    openssl complained that mandatory Country Name field is missing and the generated certificate just had CN in the subject line. Seems like -subj option completely overrides the subject line and does not allow updating a single field.

    This makes all following three approaches of supplying subject fields exclusive to each other:

    • Prompts
    • config file
    • -subj option
    0 讨论(0)
  • 2021-01-31 13:55

    thanks to @indiv

    according to this guide -subj is the way to go, e.g.

    -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
    
    0 讨论(0)
  • 2021-01-31 13:55

    Another solution consists of using the prompt = no directive in your config file.
    See OpenSsl: Configuration file format

    prompt

    if set to the value no this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the distinguished_name and attributes sections.

    There are two separate formats for the distinguished name and attribute sections.

    If the prompt option is set to no then these sections just consist of field names and values: for example,

     CN = My Name
     OU = My Organization
     emailAddress = someone@somewhere.org
    

    This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req.

    Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

     fieldName="prompt"
     fieldName_default="default field value"
     fieldName_min= 2
     fieldName_max= 4
    
    0 讨论(0)
提交回复
热议问题