Bash script with "openssl req -new -key server.key -out server.csr -config server_openssl.cnf --passin pass:password"

Question

I am writing a bash script that will generate a root certificate and a server certificate. The root certificate generation works, but the server certificate prompts me for input - however since this is a bash script it should just use the values from the config.

rootCA_openssl.cnf

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
 
[ req_distinguished_name ]
countryName = NO
countryName_default = NO
stateOrProvinceName = Nordland
stateOrProvinceName_default = Nordland
organizationName = Lumina Ventures
organizationName_default = Lumina Ventures
commonName = Lumina Ventures Root CA 1
commonName_default = Lumina Ventures CA 1
 
[ v3_req ]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

Genrsa

openssl genrsa -aes256 -out rootCA.key --passout pass:password 2048

Create a CSR (Certificate Signing Request) file for root CA certificate

openssl req -new -key rootCA.key -out rootCA.csr -config rootCA_openssl.cnf --passin pass:password

Generate root CA certificate file rootCA.pem

openssl x509 -req -in rootCA.csr -sha512 -signkey rootCA.key -out rootCA.pem -days 1095 -extensions v3_req -extfile rootCA_openssl.cnf --passin pass:password

server_openssl.cnf

[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]
countryName = NO
countryName_default = NO
stateOrProvinceName = Nordland
stateOrProvinceName_default = Nordland
localityName = Lofoten
localityName_default = Lofoten
organizationName = Lumina Ventures
organizationName_default = Lumina Ventures
commonName = 80.50.50.20
commonName_default = 80.50.50.20
commonName_max = 64
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
 
[ alt_names ]
IP.1 = 80.50.50.20

Enter a passphrase when prompted

openssl genrsa -aes256 -out server.key --passout pass:password 2048

req (it stops here)

openssl req -new -key server.key -out server.csr -config server_openssl.cnf --passin pass:password

This prompts me with:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
NO [NO]:

How can I use the default values in server config? I tried to add prompt = no to the [ req ] section but it gave me a new error:

Error making certificate request
4057E170FB7C0000:error:04000067:object identifier routines:OBJ_txt2obj:unknown object name:../crypto/objects/obj_dat.c:376:
4057E170FB7C0000:error:05800077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:../crypto/x509/x509name.c:252:name=countryName_default

The last thing I am going to do is to generate the certificate, however I am stuck at the openssl req

openssl x509 -req -in server.csr -sha256 -CA rootCA.pem -CAkey rootCA.key -out server.pem -days 1095 -extensions v3_req -extfile server_openssl.cnf

Answer 1

There is no sense in adding _default values when prompt = no is used as you are setting the values in the config file. These defaults are only used if the user doesn't enter anything at the prompt.

Use something like:

[ req_distinguished_name ]
countryName = NO
stateOrProvinceName = Nordland
localityName = Lofoten
organizationName = Lumina Ventures
commonName = Lumina Ventures Issuing CA 1