0

I'm creating a certificate using this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf

with this config:

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment

[alt_names]
DNS.1   = localhost

But the command asks for a Common name and password, How can I send them as the parameter to openssl. I tried other solutions but none of them worked.

saeed
  • 161
  • 1
  • 2
  • 12
  • 1
    Why do you have the key usages of `keyCertSign` and `cRLSign` when you're asserting that you are _not_ a CA? Read [RFC 5280 Section 4.2.1.3](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3) – garethTheRed Apr 19 '22 at 11:15
  • It's asking for a password because your command is malformed - the order of `openssl req` matters, so move `-nodes` to the end of the command. If this isn't a CA/ICA, your certificate is insecure _(it has no CoT [Chain of Trust] and has KUs only a CA/ICA should have)_. Please see [this](https://superuser.com/a/1248085/529800) answer for KUs and EKUs, [this](https://superuser.com/a/1618151/529800) answer for how to correctly create the certificate, and [this](https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf) example `openssl.cnf` for reference. – JW0914 Apr 19 '22 at 12:05

1 Answers1

0

You can use -subj on the command line to pass the certificate's Subject.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -subj "/O=My Org/OU=My Dept/CN=My Service"
garethTheRed
  • 3,890
  • 1
  • 19
  • 20
  • @JW0914 - maybe that is version dependent? Mine, on OpenSSL 1.1.1 installed on Debian 11 didn't ask for a password, even with `-nodes` in the current position. How odd... – garethTheRed Apr 19 '22 at 16:27
  • That's because the `openssl.cnf` you're using has `encrypt_key = ` set to `no`, whereas by default, most have it set to `yes`. `-nodes` is required when creating server certs with `encrypt_key = yes`, else the server key will be encrypted, which is impractical/potentially detrimental. – JW0914 Apr 19 '22 at 16:44
  • @JW0914 - I've just double checked. Using the OP's config file above, which hasn't got `encrypt_key` at all, I ran the command as is and I wasn't prompted for a password. Also tried Fedora 35 and that doesn't prompt neither (same OpenSSL though). However, if moving it to the end fixes it for the OP, then all's well. – garethTheRed Apr 19 '22 at 17:08
  • `openssl.cnf` content posted in the OP isn't a complete `openssl.cnf`. If `-nodes` is in a command, its sole purpose is to create a key w/o encryption when `encrypt_key = yes` is in an `openssl.cnf`, so when a command includes it, by default we must assume it's included due to that _(please see the `openssl` man pages)_. `openssl req` combines cert/csr and key creation into a single command, however parameter order matters, as the first part of the command is for cert parameters, whereas key parameters need to be specified after `-newkey` _(specifying them out of order malforms the command)_ – JW0914 Apr 19 '22 at 17:59
  • _(Cont'd...)_ For a working example of this, please see [this](https://superuser.com/a/1618151/529800) answer – JW0914 Apr 19 '22 at 18:04
  • @JW0914 - there is no requirement to use all possible options in the `openssl.cnf` file, only the minimum required to do the task in hand. Saying that, I added `encrypt_key = yes` to the OP's config file and ran it with the `-nodes` in the position shown and it didn't prompt for a password. Just to confirm, I removed `-nodes` and it did prompt, suggesting that it is doing something at that early position? – garethTheRed Apr 19 '22 at 20:51
  • I stand corrected then - it seems to be the exception to the rule, as trying to process key parameters before `-newkey` usually creates a malformed command _(unless OpenSSL devs changed this - I'll test for tomorrow)_. For the `openssl.cnf`, I wasn't implying all options need to be used, just that it's missing some vital options, which is why I believed it to not be the complete config _(e.g. `default_md = sha512` (or 256), `string_mask = utf8only`, entire `[ CA ]`/`[ CA_default ]` section is missing, etc.)_, coupled with `-nodes`, but no `encrypt_key` – JW0914 Apr 20 '22 at 00:57