create self-signed cert with config file
47 views
Skip to first unread message
deb...@good-with-numbers.com
May 28, 2025, 12:44:24 AM5/28/25
to openss...@openssl.org
I'm trying to create a self-signed certificate/private key pair with the
`openssl` command-line tool, v1.1.1. There is the usual example:
openssl req -x509 -newkey rsa:2048 -keyout foo.key -out foo.crt
and I can add -addext 'subjectAltName=...' too. I opened the resulting .crt
file in Mozilla and verified that it's a CA cert.
But I'd like to use -config to avoid being prompted for the DN fields. (I'm
doing this repetitively.) When I try
openssl req -x509 -config foo.conf -out foo.crt
moving as much as I can into the .conf file, the resulting .crt is missing
fields that I saw with the usual command line. It doesn't appear to be a CA
cert at all. The SAN fields are missing.
I'm also surprised that not all command-line options have config equivalents:
-days, for instance.
Is there a way to do this?
`openssl` command-line tool, v1.1.1. There is the usual example:
openssl req -x509 -newkey rsa:2048 -keyout foo.key -out foo.crt
and I can add -addext 'subjectAltName=...' too. I opened the resulting .crt
file in Mozilla and verified that it's a CA cert.
But I'd like to use -config to avoid being prompted for the DN fields. (I'm
doing this repetitively.) When I try
openssl req -x509 -config foo.conf -out foo.crt
moving as much as I can into the .conf file, the resulting .crt is missing
fields that I saw with the usual command line. It doesn't appear to be a CA
cert at all. The SAN fields are missing.
I'm also surprised that not all command-line options have config equivalents:
-days, for instance.
Is there a way to do this?
deb...@good-with-numbers.com
May 28, 2025, 11:16:11 AM5/28/25
to openss...@openssl.org
Ahhh...I figured it out. Now I understand the difference between the
req_extensions and the x509_extensions config options.
req_extensions and the x509_extensions config options.
Viktor Dukhovni
May 28, 2025, 12:55:53 PM5/28/25
to openss...@openssl.org
On Wed, May 28, 2025 at 04:41:27AM +0000, deb...@good-with-numbers.com wrote:
> I'm trying to create a self-signed certificate/private key pair with the
> `openssl` command-line tool, v1.1.1. There is the usual example:
>
> openssl req -x509 -newkey rsa:2048 -keyout foo.key -out foo.crt
>
> and I can add -addext 'subjectAltName=...' too. I opened the resulting .crt
> file in Mozilla and verified that it's a CA cert.
>
> But I'd like to use -config to avoid being prompted for the DN fields. (I'm
> doing this repetitively.) When I try
You don't need "-config" for that, you can just use the "-subj" option,
> I'm trying to create a self-signed certificate/private key pair with the
> `openssl` command-line tool, v1.1.1. There is the usual example:
>
> openssl req -x509 -newkey rsa:2048 -keyout foo.key -out foo.crt
>
> and I can add -addext 'subjectAltName=...' too. I opened the resulting .crt
> file in Mozilla and verified that it's a CA cert.
>
> But I'd like to use -config to avoid being prompted for the DN fields. (I'm
> doing this repetitively.) When I try
the example below throws in a couple more extensions, the authority key
id is largely redundant for a trust-anchor, but may be useful in other
cases.
openssl req -quiet -nodes -x509 -new -out foo.crt \
-newkey rsa:2048 -keyout foo.key \
-days 36524 -subj "/CN=My root CA" \
-addext "basicConstraints = critical,CA:true" \
-addext "keyUsage = critical, cRLSign, keyCertSign" \
-addext "subjectKeyIdentifier = hash" \
-addext "authorityKeyIdentifier = keyid:always"
> openssl req -x509 -config foo.conf -out foo.crt
>
> moving as much as I can into the .conf file, the resulting .crt is missing
> fields that I saw with the usual command line. It doesn't appear to be a CA
> cert at all. The SAN fields are missing.
>
> I'm also surprised that not all command-line options have config equivalents:
> -days, for instance.
>
> Is there a way to do this?
x509v3_config(3), and various mixtures of command-line options and
inline config snippets (using bash "<(command)" syntax to create on
the fly configs) in:
https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh
--
Viktor.
Reply all
Reply to author
Forward
0 new messages