0

I'm creating a certificate using this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf

with this config:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64


[req_ext]
subjectAltName = @alt_names


[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment


[alt_names]
DNS.1   = localhost

But the command asks for a Common name and password, How can I send them as the parameter to openssl. I tried other solutions but none of them worked.

saeed
  • 161
  • 1
    Why do you have the key usages of keyCertSign and cRLSign when you're asserting that you are not a CA? Read RFC 5280 Section 4.2.1.3 – garethTheRed Apr 19 '22 at 11:15
  • It's asking for a password because your command is malformed - the order of openssl req matters, so move -nodes to the end of the command. If this isn't a CA/ICA, your certificate is insecure (it has no CoT [Chain of Trust] and has KUs only a CA/ICA should have). Please see this answer for KUs and EKUs, this answer for how to correctly create the certificate, and this example openssl.cnf for reference. – JW0914 Apr 19 '22 at 12:05

1 Answers1

0

You can use -subj on the command line to pass the certificate's Subject.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj "/O=My Org/OU=My Dept/CN=My Service"
garethTheRed
  • 4,084
  • 1
  • 19
  • 20
  • @JW0914 - maybe that is version dependent? Mine, on OpenSSL 1.1.1 installed on Debian 11 didn't ask for a password, even with -nodes in the current position. How odd... – garethTheRed Apr 19 '22 at 16:27
  • That's because the openssl.cnf you're using has encrypt_key = set to no, whereas by default, most have it set to yes. -nodes is required when creating server certs with encrypt_key = yes, else the server key will be encrypted, which is impractical/potentially detrimental. – JW0914 Apr 19 '22 at 16:44
  • @JW0914 - I've just double checked. Using the OP's config file above, which hasn't got encrypt_key at all, I ran the command as is and I wasn't prompted for a password. Also tried Fedora 35 and that doesn't prompt neither (same OpenSSL though). However, if moving it to the end fixes it for the OP, then all's well. – garethTheRed Apr 19 '22 at 17:08
  • openssl.cnf content posted in the OP isn't a complete openssl.cnf. If -nodes is in a command, its sole purpose is to create a key w/o encryption when encrypt_key = yes is in an openssl.cnf, so when a command includes it, by default we must assume it's included due to that (please see the openssl man pages). openssl req combines cert/csr and key creation into a single command, however parameter order matters, as the first part of the command is for cert parameters, whereas key parameters need to be specified after -newkey (specifying them out of order malforms the command) – JW0914 Apr 19 '22 at 17:59
  • (Cont'd...) For a working example of this, please see this answer – JW0914 Apr 19 '22 at 18:04
  • @JW0914 - there is no requirement to use all possible options in the openssl.cnf file, only the minimum required to do the task in hand. Saying that, I added encrypt_key = yes to the OP's config file and ran it with the -nodes in the position shown and it didn't prompt for a password. Just to confirm, I removed -nodes and it did prompt, suggesting that it is doing something at that early position? – garethTheRed Apr 19 '22 at 20:51
  • I stand corrected then - it seems to be the exception to the rule, as trying to process key parameters before -newkey usually creates a malformed command (unless OpenSSL devs changed this - I'll test for tomorrow). For the openssl.cnf, I wasn't implying all options need to be used, just that it's missing some vital options, which is why I believed it to not be the complete config (e.g. default_md = sha512 (or 256), string_mask = utf8only, entire [ CA ]/[ CA_default ] section is missing, etc.), coupled with -nodes, but no encrypt_key – JW0914 Apr 20 '22 at 00:57