Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to generate a self-signed certificate automatically

105 views
Skip to first unread message

Jian Chen

unread,
Oct 9, 2001, 4:50:16 PM10/9/01
to
Hi, All,

Does anybody know how to generate an openssl certificate in non-interactive
mode?

Currently, when I ran:
openssl req -x509 -newkey rsa:1024 -keyout server.key -out server.crt
It prompts for input such as: Country, Common name, etc.

So, is there a way to generate the self-signed certificate using the
openssl.cnf file and without all the prompts?

Thanks in advance,

Jian
Oct. 9

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Michael Sierchio

unread,
Oct 9, 2001, 5:39:55 PM10/9/01
to
Jian Chen wrote:
>
> Hi, All,
>
> Does anybody know how to generate an openssl certificate in non-interactive
> mode?
>
> Currently, when I ran:
> openssl req -x509 -newkey rsa:1024 -keyout server.key -out server.crt
> It prompts for input such as: Country, Common name, etc.
>
> So, is there a way to generate the self-signed certificate using the
> openssl.cnf file and without all the prompts?

The snapshot version of 'req' accepts the '-batch' arg.

Dr S N Henson

unread,
Oct 9, 2001, 5:47:03 PM10/9/01
to
Jian Chen wrote:
>
> Hi, All,
>
> Does anybody know how to generate an openssl certificate in non-interactive
> mode?
>
> Currently, when I ran:
> openssl req -x509 -newkey rsa:1024 -keyout server.key -out server.crt
> It prompts for input such as: Country, Common name, etc.
>
> So, is there a way to generate the self-signed certificate using the
> openssl.cnf file and without all the prompts?
>

Yes. Read the req manual page: it has an example of how to do this.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

Michael Sierchio

unread,
Oct 9, 2001, 6:03:43 PM10/9/01
to
Dr S N Henson wrote:

> > So, is there a way to generate the self-signed certificate using the
> > openssl.cnf file and without all the prompts?
> >
>
> Yes. Read the req manual page: it has an example of how to do this.

It's either my eyes or brain, but I don't see this example -- and
the batch flag is new, innit?

Jian Chen

unread,
Oct 9, 2001, 6:23:38 PM10/9/01
to
Hi,

I am using OpenSSL 0.9.5a and I do not see the -batch flag when I tried:
"openssl req -?"

Jian

Dr S N Henson

unread,
Oct 9, 2001, 8:13:04 PM10/9/01
to
Michael Sierchio wrote:
>
> Dr S N Henson wrote:
>
> > > So, is there a way to generate the self-signed certificate using the
> > > openssl.cnf file and without all the prompts?
> > >
> >
> > Yes. Read the req manual page: it has an example of how to do this.
>
> It's either my eyes or brain, but I don't see this example -- and
> the batch flag is new, innit?

Check the documentation of the "prompt" option, the description at the
start of the section "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
and the last example before the NOTES section:

> Sample configuration containing all field values:
>
>
> RANDFILE = $ENV::HOME/.rnd
>
> [ req ]
> default_bits = 1024
> default_keyfile = keyfile.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> prompt = no
> output_password = mypass
>
> [ req_distinguished_name ]
> C = GB
> ST = Test State or Province
> L = Test Locality
> O = Organization Name
> OU = Organizational Unit Name
> CN = Common Name
> emailAddress = te...@email.address
>
> [ req_attributes ]
> challengePassword = A challenge password
>
>

What is perhaps not so apparent is that the noprompt behaviour applies
to the req program when used with the -x509 option to create a self
signed certificate. If the above example is saved to 'autocert.cnf' then
the command line:

openssl req -x509 -new -config autocert.cnf -out sscert.pem

should do the whole thing with no prompts. In practice some extensions
would be included in the config file and the attributes removed since
they are ignored when creating a self signed certificate.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

______________________________________________________________________

0 new messages