How do I use a variable from user input in an OpenSSL CNF file?
I have the following CNF:
[ req_distinguished_name ]
emailAddress = Email Address
# specify defaults
emailAddress_default = [email protected]
How can I use the email that the user chooses for the emailAddress option in the following section without using a script to generate the CNF?
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
subjectAltName = email:[email protected]
Within OpenSSL's configuration files, you can use a value from a different section using ${section::name}. However, it seems that these are parsed early in the process (before user input) and therefore a line such as:
[ req_distinguished_name ]
emailAddress = Email Address
emailAddress_max = 64
....
[usr_cert]
# Extensions for client certificates (`man x509v3_config`).
subjectAltName = email:${req_distinguished_name::emailAddress}
would result in a Subject Alternative Name of:
X509v3 Subject Alternative Name:
email: Email Address
(assuming Email Address is the prompt) and not the entered email address.
An alternative is to have your email address as an environment variable, set before you run OpenSSL, and use the following in your config:
[usr_cert]
# Extensions for client certificates (`man x509v3_config`).
subjectAltName = email:${ENV::email_address}
and run:
email_address="[email protected]" openssl req -new -newkey test.key -out test.csr -nodes
The resulting request (test.csr) will have:
X509v3 Subject Alternative Name:
email: [email protected]
This may not work for you, depending on your application of course, but it's probably the nearest you can get.
Yet another alternative would be a script that generates an OpenSSL config on-the-fly with the correct email address and other details already configured.
