Non-interactive creation of SSL certificate requests

Question

Is there a way to create SSL cert requests by specifying all the required parameters on the initial command? I am writing a CLI-based web server control panel and I would like to avoid the use of expect when executing openssl if possible.

This is a typical way to create a cert request:

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr
Generating a 2048 bit RSA private key
.................................................+++
........................................+++
writing new private key to 'foobar.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New Sweden
Locality Name (eg, city) []:Stockholm
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Scandanavian Ventures, Inc.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:foobar.com
Email Address []:gustav@foobar.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:FooBar

I am hoping to see something like this: (unworking example)

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout foobar.com.key -out foobar.com.csr \
-Country US \
-State "New Sweden" \
-Locality Stockholm \
-Organization "Scandanavian Ventures, Inc." \
-CommonName  foobar.com \
-EmailAddress gustav@foobar.com \
-Company FooBar

The fine man page had nothing to say on the matter, nor was I able to find anything via Google. Must SSL cert request generation be an interactive process, or is there some way to specify all the parameters in a single command?

This is on a Debian-derived Linux distro running openssl 1.0.1.

http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr — ceejayoz, Dec 08 '14 at 15:05
@ceejayoz: Very nice, thank you. א) Where are those `openssl` flags documented? ב) What did you google for to find that? Thank you! — dotancohen, Dec 08 '14 at 15:07
I googled "CSR generate script". The `-subj` parameter is documented (not in much detail) at https://www.openssl.org/docs/apps/req.html. — ceejayoz, Dec 08 '14 at 15:11
It is also possible to create a config file, typically called `openssl.cnf`. — sebix, Dec 10 '14 at 08:55

score 30 · Accepted Answer · answered Dec 08 '14 at 15:47

you are missing two part:

the subject line, which can be called as

-subj "/C=US/ST=New Sweden/L=Stockholm /O=.../OU=.../CN=.../emailAddress=..."

replacing ... with value, X= being X509 code (Organisation/OrganisationUnit/etc ... )

the password value, which can be called as

-passout pass:client11
-passin  pass:client11

which give an output/input password

my calling for new key looks like

openssl genrsa -aes256 -out lib/client1.key -passout pass:client11 1024
openssl rsa -in lib/client1.key -passin pass:client11 -out lib/client1-nokey.key

openssl req -new -key lib/client1.key -subj req -new \
    -passin pass:client11 -out lib/client1.csr \
    -subj "/C=US/ST=New Sweden/L=Stockholm/O=.../OU=.../CN=.../emailAddress=..."

(now that I see it, there is two -new ... )

score 7 · Answer 2 · answered Nov 12 '18 at 21:34

7

I append to my regular openssl command:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem

This line:

-subj "/C=PE/ST=Lima/L=Lima/O=Acme Inc. /OU=IT Department/CN=acme.com"

Description:

Country Name (2 letter code) [AU]:PE
State or Province Name (full name) [Some-State]:Lima
Locality Name (eg, city) []:Lima
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme Inc.
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:acme.com

Use "/" like separator.

answered Nov 12 '18 at 21:34

JorgeM

231
2
6

1

It seems that the accepted answer already includes this information. Otherwise, thank you. – dotancohen Nov 13 '18 at 13:36
3

Upvoted since this answer better explains the data to put into the `-subj` line – mjaggard Dec 07 '20 at 13:28

score 2 · Answer 3 · edited Aug 23 '20 at 19:31

2

Check for -batch option as described in the official docs.

edited Aug 23 '20 at 19:31

mustaccio

282
3
10

answered Dec 08 '14 at 15:23

eject

353
1
5

3

Thank you. I see that the batch option exists, but there seems to be no explanation of how to use it. – dotancohen Dec 08 '14 at 15:53
Why was this answer downvoted? Is batch not a possible solution to the issue? From the name, it sounds like it just might be. – dotancohen Dec 08 '14 at 15:54
It's definitely only way to do this with -batch option, why downvoted I have no idea. Statement "The fine man page had nothing to say on the matter" is false, because of "-batch" option. – eject Dec 08 '14 at 15:58
Upvoted for mentioning batch, as even though I didn't use it in the solution it may come in handy in the future. – dotancohen Dec 08 '14 at 16:11
2

This answer doesn't seem to be very useful, as it doesn't explain _how_ to use that option (neither does the doc). Using `-batch` without `-subj` causes the command to fail, while using `-subj` without `-batch` works just fine, so it's unclear what benefit `-batch` provides, if any. – mustaccio Aug 21 '20 at 20:29

Non-interactive creation of SSL certificate requests

3 Answers3