34

I can create a self-signed certificate using this command

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

But is it possible to pass arguments like “Country Name,” “State or Province Name” etc. to OpenSSL to automate this process?

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Alexander Zeitler
  • 1,253
  • 2
  • 14
  • 18
  • You still need to pass the hostnames through a CONF file. Otherwise, browsers will reject the certificate, even if its in the proper trust store. That's because The [CA/Browser Baseline Requirements](https://cabforum.org/baseline-requirements-documents/) requires the hostnames in the *Subject Alternate Name*, and the only way to add them is through the CONF file. Also see [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) on Stack Overflow. – jww Jan 10 '17 at 18:45

1 Answers1

42

This website explains very well how to do this:

The magic of CSR generation without being prompted for values which go in the certificate's subject field, is in the -subj option.

-subj arg
  Replaces subject field of input request with specified data and outputs modified request.
    The arg must be formatted as /type0=value0/type1=value1/type2=...,
    characters may be escaped by \ (backslash), no spaces are skipped.

For example:

openssl ... -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"

See more details on the page I linked above.

kojiro
  • 247
  • 1
  • 16
janos
  • 3,297
  • 1
  • 22
  • 31