Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
OpenSSL Generate CSR non-interactive
Published: 09-02-2013 | Author: Remy van Elst | Text only version of this article
❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.
This is a short command to generate a CSR (certificate signing request) with openssl without being prompted for the values which go in the certificate's Subject field.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
When you use OpenSSL to generate a CSR and a private key you use the following command:
openssl req -nodes -newkey rsa:2048 -keyout private.key -out CSR.csr
This is the output:
Generating a 2048 bit RSA private key
.................................................................+++
.......................................................................+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:ssl.raymii.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
You can see that you have to fill in a lot of data during the generation. If you do not want that, maybe because you are using a script to generate a lot of CSR's and private keys, you use the following command. It does the same as the above command, but it has all the data in it:
openssl req -nodes -newkey rsa:2048 -keyout private.key -out CSR.csr -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/OU=IT Department/CN=ssl.raymii.org"
This is the output:
Generating a 2048 bit RSA private key
.......+++
..............................................................................................................................................+++
writing new private key to 'private.key'
-----
This is what the -subj
option does:
- /C=NL: 2 letter ISO country code (Netherlands)
- /ST=: State, Zuid Holland (South holland)
- /L=: Location, city (Rotterdam)
- /O=: Organization (Sparkling Network)
- /OU=: Organizational Unit, Department (IT Department, Sales)
- /CN=: Common Name, for a website certificate this is the FQDN. (ssl.raymii.org)
You can also give a /serialNumber=0123456
with the above option. This is NOT
the serial number the issuing Certificate Authority (CA) will use, but a way to
give extra information to a certificate. If you have a CN for John Doe, and
another one, the serialNumber field can be used to distinguish John Doe 1 from
John Doe 2's certificate. Click here for more info.