1

I'm trying to create a bash script to manage a PKI. I want to use OpenSSL conf file to specify some parameters for the generated and signed certs using my CA.

I specified default parameters as below:


[ ca ]
default_ca = my ca

[ my ca ]
dir            = "path/to/ca"                     
certs          = $dir/certs                             
crl_dir        = $dir/crl                               
new_certs_dir  = $dir/new_certs                         
database       = $dir/index.txt                         
serial         = $dir/serial.txt                      

private_key    = $dir/ca.key    
certificate    = $dir/ca.crt      

default_days   = 3650               
default_crl_days = 30         
default_md     = sha256             

policy         = policy_strict      

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = supplied
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 2048
prompt                  = no
string_mask             = utf8only
default_md              = sha256
req_extensions          = v3_req
distinguished_name      = dn
default_days            = 365       

[ dn ]
C               = *my countrycode*
ST              = *my country*
L               = *my city*
O               = *my name
emailAddress    = *my mail*

[ v3_req ]
subjectKeyIdentifier    = hash
basicConstraints        = critical, CA:true
keyUsage                = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName          = @alt_names

[ ecparam ]
namedCurve      = secp384r1

[ alt_names ]
email         = *my mail*

I want to specify the Common Name, Organization Unit and alt_names DNS entry during the cert generation with the script using variables set by the user at script run time.

However, when generating the signing request as below:

openssl req -x509 -newkey ec:secp384r1 -keyout path/to/key -out path/to/cert --subj "/CN=$fqdn/OU=$ou" -addext "subjectAltName=DNS:$fqdn"

the -subj and -addext parameters are not used by OpenSSL, overriding with values set on the config file (and those being not set in the config file, the CSR therefore doesn't have any CN/OU/subjectAltName DNS set).

Is there a way to combine the command line arguments with the config file, specifically for the OU, CN and SAN values to be set in the script ?

Thanks

Improve this question
2
  • openssl req -x509 -new[key] ... generates a self-signed cert (as your path/to/cert suggests) not a "signing request" or "CSR". Such a cert cannot "us[e] my CA". req -new[key] -x509 does not use a config section designated by req_extensions like you have, but instead one designated by x509_extensions; in the upstream 'standard' config this is [v3_ca] not [v3_req]. But I cannot reproduce; with both 1.1.1 and 3.0 -subj (only one hyphen needed) and -addext DO override (the latter per extension) the (corrected) config file. ...
    – dave_thompson_085
    Commented Feb 1, 2023 at 12:15
  • ... However you don't need to use the commandline options; an alternative is to have the shell variable(s) exported as environment variable(s), and OpenSSL's config file can use environment variable(s); see the man page.
    – dave_thompson_085
    Commented Feb 1, 2023 at 12:16

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .