Create SSL certificate non-interactively

Question

I want to silently, non interactively, create an SSL certificate. I.e., without get prompted for any data.

The normal way I create the certificate would be:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 \
    -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

I tried the following:

openssl genrsa -out server.key 2048
touch openssl.cnf

cat >> openssl.cnf <<EOF
[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = GB
ST = Test State
L = Test Locality
O = Org Name
OU = Org Unit Name
CN = Common Name
emailAddress = [email protected]
EOF

openssl req -x509 -config openssl.cnf -nodes -days 7300 \
    -signkey server.key -out /etc/ssl/private/pure-ftpd.pem

But I still get a prompt for data.

Can you provide an explanation or output of what is happening instead of the desired result? — phemmer, Dec 08 '13 at 01:48
I get the help as a output- Anything is wrong with the parameters here: `openssl req -x509 -config openssl.cnf -nodes -days 7300 -signkey server.key -out /etc/ssl/private/pure-ftpd.pem ` — TheNiceGuy, Dec 08 '13 at 02:17
It's best to provide the output of errors when you're having issues. I'm guessing your issue is because of `-signkey`. This is not a valid `openssl req` option on my system. The error message will have this as the very first line: `unknown option -signkey` — phemmer, Dec 08 '13 at 03:36
Well that signkey should tell SSL to use the provided key as i know? — TheNiceGuy, Dec 08 '13 at 03:53
Your "normal way to create the certificate" doesn't prompt for any data. Are you not wanting it to output anything? Then use `2> /dev/null`. — wingedsubmariner, Dec 08 '13 at 05:50
How does this not work? What behavior do you see, what did you expect instead? If there are error messages, copy-paste them. If the output files are not what you wanted, how do they differ? — Gilles 'SO- stop being evil', Dec 08 '13 at 21:53

bahamat · Accepted Answer · 2022-09-19T20:00:44.780

116

The thing you're missing is to include the certificate subject in the -subj flag. I prefer this to creating a config file because it's easier to integrate into a workflow and doesn't require cleaning up afterward.

One step key and csr generation:

openssl req -new -newkey rsa:4096 -nodes \
    -keyout www.example.com.key -out www.example.com.csr \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"

One step self signed passwordless certificate generation:

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout www.example.com.key  -out www.example.com.cert

Neither of these commands will prompt for any data.

See my answer to this nearly identical question on Super User.

After many years, and by popular demand, here's how to do it with ECDSA.

This is necessarily two steps because EC keys require generating parameters, which (at the time of this writing) must be done separately from signing request*.

openssl ecparam -out www.example.com.key -name prime256v1 -genkey
openssl req -new -days 365 -nodes -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -key www.example.com.key -out www.example.com.cert

* You can either just generate ec parameters and use req -newkey ec:<file with ec params>, or do it like I did above. There isn't really a significant difference.

edited Sep 19 '22 at 20:00

answered Dec 08 '13 at 23:30

bahamat

38,658
4
70
103

O well that's a nice solution. Makes the codes much smaller. Thanks :D – TheNiceGuy Dec 09 '13 at 00:23
1

I didn't modify his original config file, as I thought it might be a standin for a more complicated certificate. Some configurations that cannot be represented with a `-subj` parameter, particularly when you get into v3 extensions and subjectAltName parameters. – robbat2 Dec 09 '13 at 02:02
3

You can also use `-batch` (non-interactive mode) – Eran H. Nov 05 '18 at 08:26
Note the first command seems to require the key to exist before it can be executed where the second command creates they key and cert automatically because the `-subj` is a basic valid in-line CSR. – dragon788 Jan 04 '19 at 19:04
@dragon788 Thanks for pointing that out. I fixed it. – bahamat Jan 10 '19 at 01:22
C = GB ST = Test State or Province L = Test Locality O = Organization Name OU = Organizational Unit Name CN = Common Name emailAddress = [email protected] – xiaojueguan May 14 '22 at 13:50
How does this apply to elliptic curve keys, as they use the subcommand "ec" to generate key-pairs? – marscher Sep 16 '22 at 07:54
1

@marscher I've amended my answer to include ECDSA. – bahamat Sep 19 '22 at 20:01
@bahamat Thanks a lot for updating this so quickly! – marscher Sep 20 '22 at 15:58
1

`ST=denial`, `O=Dis` - wish I could upvote more times – toraritte Aug 28 '23 at 13:09

score 4 · Answer 2 · edited Dec 08 '13 at 23:25

4

The command you are looking for is:

openssl req -new -x509 -config openssl.cnf -nodes -days 7300 -key server.key -out /etc/ssl/private/pure-ftpd.pem

Changes from your version:

-new is required to generate anything
-key used in place of -signkey

edited Dec 08 '13 at 23:25

bahamat

38,658
4
70
103

answered Dec 08 '13 at 22:14

robbat2

3,599
20
32

Create SSL certificate non-interactively

2 Answers2