OpenSSL "req -config" - Using Configuration File

Q

Can I use my own configuration file when running "req" command?

✍: FYIcenter.com

A

Yes, you can specify your own configuration file using the "-config file" option when running the "req" command.

OpenSSL configuration file allows you to control the behavior of the "req" command with the following options:

  • utf8 - If set to the value yes then field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.
  • prompt - If set to the value "no", distinguished_name options will be used as values instead of prompting labels, and user will not be prompted. If set to the value "yes", distinguished_name options will be used as prompting labels instead of values, and user will be prompted. Default is "promt=yes".
  • input_password - The passwords for the input private key file, if private key is needed and provided.
  • output_password - The passwords for the output private key file, if private key is generated and encrypted.
  • default_bits - Specifies the default key size in bits, if private key is generated.
  • default_keyfile - This is the default filename to write a private key to. This can be overridden by the -keyout option at the command line.
  • encrypt_key - If this is set to "no" then if a private key is generated it is not encrypted. This is equivalent to the -nodes command line option.
  • default_md - This option specifies the digest algorithm to use. Any digest supported by the OpenSSL dgst command can be used. If not present then MD5 is used. This option can be overridden on the command line. For example, "default_md=md5" can be overridden by "-md5" or "-sha256" command line option.
  • distinguished_name - This specifies the section containing the distinguished name fields to prompt for when generating a CSR or self-signed certificate. distinguished_name is required when using "req -new", "req -newkey" commands. See next tutorial for details of distinguished_name fields.
  • req_extensions - This specifies the configuration file section containing a list of options to add to the certificate request. It can be overridden by the -reqexts command line option. See next tutorial for details of req_extensions options.
  • x509_extensions - This specifies the configuration file section containing a list of extensions to add to certificate generated when the -x509 switch is used. It can be overridden by the -extensions command line option. See next tutorial for details of x509_extensions options.
  • attributes - This specifies the configuration file section containing additional CSR attributes like challengePassword.

There are 3 ways to specify "req" options in the configuration file:

1. Provide "req" options in the unnamed section at the beginning of the configuration file. For example:

default_md = md5
...

[section...]

2. Provide "req" options in the [req] section in the configuration file. For example:

[req]
input_password = fyicenter
...

The following example shows how to create a OpenSSL configuration file and use it with the OpenSSL "req" command:

C:\Users\fyicenter> type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password = fyicenter

C:\Users\fyicenter>\local\openssl\openssl.exe
OpenSSL> req -x509 -in rsa_test.csr -key rsa_test.key -out test.crt 
   -config test.cnf
   
OpenSSL> x509 -in test.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            d0:17:e6:c8:44:4a:0d:57
    Signature Algorithm: md5WithRSAEncryption
    ...

The output confirms that:

  • "req" command did not prompt for the password of the private key file, because "input_password = fyicenter" is provided in the [req] section of the configuration file
  • "req" command used MD5 as the digest algorithm instead of the default SHA256 algorithm, because "default_md = md5" is provided in the unnamed section of the configuration file.

 

OpenSSL "req" - distinguished_name Configuration Section

OpenSSL Not Validate Signature in Self-Signed Certificate

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-11-03, 1582👍, 0💬