Home / server / Questions / 762642
Accepted
AJN
Asked: 2016-03-10 05:56:11 +0800 CST

How do I read certificate information automatically using OpenSSL

  • 772

To generate an SSL certificate file for Apache, I am using the below command:

 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert

And I manually feed it with these parameters:

Country Name (2 letter code) [AU]:AU
State or Province Name (full name): Myname
[Some-State]:Some-State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet
Organizational Unit Name (eg, section) []:Section
Common Name (e.g. server FQDN or YOUR name) []:yourname
Email Address []:[email protected]

Is it possible to enter them from a file or right from an OpenSSL command line using options?

There is no hint from the OpenSSL man pages.

apache-2.4

3 Answers

  1. Best Answer

    You can create a configuration file and use that in your command. You could for example create a config file named openssl.cnf and use it like this:

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert -config ./openssl.cnf

    In your case you can set the following parameters:

    [ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName          = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

    More can be found at http://www.flatmtn.com/article/setting-openssl-create-certificates#SSLCert-4

    • 6

  2. Somewhere in your config file you need the following:

    [ req ]
prompt                 = no
distinguished_name     = req_distinguished_name

[ req_distinguished_name ]
countryName             = GB
stateOrProvinceName     = Provinceshire
localityName            = Locationsville
organizationName        = Example Ltd
organizationalUnitName  = PKI
commonName              = www.example.com

    The prompt = no in the [ req ] section stops the prompts you see and changes the format expected in the distinguished_name section. If you don't have this option, OpenSSL will expect the prompting format that you currently have.

    Note that the order of the fields are changeable and dictate the order in the certificate.

    • 6

  3. It could also be run from a script:

    #!/bin/bash

country=WORLD   
state=mystate    
locality=Mycity   
organization=myorg    
organizationalunit=IT   
[email protected]

 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
 /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.cert -subj
 "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"

    Found it at: http://www.jamescoyle.net/how-to/1073-bash-script-to-create-an-ssl-certificate-key-and-request-csr

    • 4