I'm trying to create a bash script to manage a PKI. I want to use OpenSSL conf file to specify some parameters for the generated and signed certs using my CA.
I specified default parameters as below:
[ ca ]
default_ca = my ca
[ my ca ]
dir = "path/to/ca"
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/new_certs
database = $dir/index.txt
serial = $dir/serial.txt
private_key = $dir/ca.key
certificate = $dir/ca.crt
default_days = 3650
default_crl_days = 30
default_md = sha256
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
prompt = no
string_mask = utf8only
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
default_days = 365
[ dn ]
C = *my countrycode*
ST = *my country*
L = *my city*
O = *my name
emailAddress = *my mail*
[ v3_req ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names
[ ecparam ]
namedCurve = secp384r1
[ alt_names ]
email = *my mail*
I want to specify the Common Name, Organization Unit and alt_names DNS entry during the cert generation with the script using variables set by the user at script run time.
However, when generating the signing request as below:
openssl req -x509 -newkey ec:secp384r1 -keyout path/to/key -out path/to/cert --subj "/CN=$fqdn/OU=$ou" -addext "subjectAltName=DNS:$fqdn"
the -subj
and -addext
parameters are not used by OpenSSL, overriding with values set on the config file (and those being not set in the config file, the CSR therefore doesn't have any CN/OU/subjectAltName DNS set).
Is there a way to combine the command line arguments with the config file, specifically for the OU, CN and SAN values to be set in the script ?
Thanks
openssl req -x509 -new[key] ...
generates a self-signed cert (as yourpath/to/cert
suggests) not a "signing request" or "CSR". Such a cert cannot "us[e] my CA".req -new[key] -x509
does not use a config section designated byreq_extensions
like you have, but instead one designated byx509_extensions
; in the upstream 'standard' config this is[v3_ca]
not[v3_req]
. But I cannot reproduce; with both 1.1.1 and 3.0-subj
(only one hyphen needed) and-addext
DO override (the latter per extension) the (corrected) config file. ...