有没有可能让 openssl 跳过国家/共同名称提示?

有没有办法让 openssl 跳过诸如

Country Name (2 letter code) [US]:
Organization Name (eg, company) [My Company Name LTD.]:
Common Name (eg, YOUR name) [something]:

创建证书时使用

openssl req -config openssl.cnf -new -x509 ...

考虑到这些参数是在 openssl.cnf文件中提供的

例如:。

countryName         = Country Name (2 letter code)
countryName_default     = US
countryName_min     = 2
countryName_max     = 2
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = My Company Name LTD.
commonName          = Common Name (eg, YOUR name)
commonName_max      = 64
commonName_default      = ${ENV::CN}
57088 次浏览
小开
最佳答案

thanks to @indiv

according to this guide -subj is the way to go, e.g.

-subj '/CN=www.mydom.com/O=My Company Name LTD./C=US'
小开

Another solution consists of using the prompt = no directive in your config file.
See OpenSsl: Configuration file format

prompt

if set to the value no this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the distinguished_name and attributes sections.

There are two separate formats for the distinguished name and attribute sections.

If the prompt option is set to no then these sections just consist of field names and values: for example,

 CN = My Name
OU = My Organization
emailAddress = someone@somewhere.org

This allows external programs (e.g. GUI based) to generate a template file with all the field names and values and just pass it to req.

Alternatively if the prompt option is absent or not set to no then the file contains field prompting information. It consists of lines of the form:

 fieldName="prompt"
fieldName_default="default field value"
fieldName_min= 2
fieldName_max= 4
小开

Generate a config file and in the [req] section you can put prompt = no.

For example:

[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req


[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Our Company Llc
#OU = Org Unit Name
CN = Our Company Llc
#emailAddress = info@example.com


[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names


[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com

Then just execute e.g.

openssl req -new -sha256 -config THATFILE.conf -key example.com.key -out example.com.csr
小开

A mixed approach is not supported

It may be intuitive to think that a mixed approach is possible, where you may think of putting some static fields in openssl.cnf and specify some (CN) via -subj option. However, that does not work.

I tested a scenario where I

  • put C, ST, L, O and OU in the openssl.cnf section req_distinguished_name and
  • ran openssl req with -subj=/CN=www.mydom.com.

openssl complained that mandatory Country Name field is missing and the generated certificate just had CN in the subject line. Seems like -subj option completely overrides the subject line and does not allow updating a single field.

This makes all following three approaches of supplying subject fields exclusive to each other:

  • Prompts
  • config file
  • -subj option
小开

The -batch optional parameter causes the openssl req command to not prompt for any of the information fields. I use it this way without an explicit config file for automation of self-signed certs.

It is listed in the help:

openssl help req
...
...
-batch              Do not ask anything during request generation

提交答案