OpenSSL "req" - "prompt=yes" Mode with DN Defaults

Q

How to specify DN value defaults when using the "prompt=yes" mode of the OpenSSL "req -new" command?

✍: FYIcenter.com

A

If you are using "prompt=yes" mode, you can also set DN (Distinguished Name) default values in the configuration file. OpenSSL will prompt the user for DN fields with default values. The user can press "Enter" key to take default values.

Note that if you want to remove the default value, you can enter "." at the prompt.

For example, "countryName=Country Name" and "countryName_default=US" will tell OpenSSL to prompt the user "Country Name [US]:" for the countryName field. The user can press "Enter" key to take "US", enter "." to remove "US", or enter "CA" for another country.

Below is a test showing you how to use DN value length limits in the OpenSSL configuration file.

C:\Users\fyicenter>type test.cnf
# unnamed section of generic options
default_md = md5

# default section for "req" command options
[req]
input_password     = fyicenter
prompt             = yes
distinguished_name = my_req_dn_prompt

[my_req_dn_prompt]

# Minimum of 4 bytes are needed for common name
commonName         = Common Name
commonName_min     = 4
commonName_max     = 32
commonName_default = FYIcenter.com Root CA

# ISO2 country code only
countryName         = Country Name
countryName_min     = 2
countryName_max     = 2
countryName_default = US

# State is optional, no minimum limit
stateOrProvinceName         = State
stateOrProvinceName_max     = 24
stateOrProvinceName_default = NY

# City is required
localityName         = City
localityName_min     = 3
localityName_max     = 24
localityName_default = New York

# Organization is optional
organizationName         = Organization
organizationName_max     = 48
organizationName_default = FYIcenter.com

# Organization Unit is optional
organizationalUnitName         = Department
organizationalUnitName_max     = 48
organizationalUnitName_default = IT

# Email is optional
emailAddress         = Email
emailAddress_max     = 48
emailAddress_default = ca@fyicenter.com

C:\Users\fyicenter>\local\openssl\openssl.exe

OpenSSL> req -new -key rsa_test.key -out test.csr -config test.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name [FYIcenter.com CA]:
Country Name [US]:
State [NY]:
City [New York]:
Organization [FYIcenter.com]:
Department [IT]:.
Email [ca@fyicenter.com]:root@fyicenter.com

OpenSSL> req -in test.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=FYIcenter.com CA, C=US, ST=NY, L=New York, 
                 O=FYIcenter.com/emailAddress=root@fyicenter.com
...

As you can see from the test, setting DN default values makes the OpenSSL "req -new" command much easier to use. You can keep pressing "Enter" key, if you like default values.

 

OpenSSL "req new -batch" - Using DN Default Values Only

OpenSSL "req" - "prompt=yes" Mode with DN Validations

OpenSSL "req" Command

⇑⇑ OpenSSL Tutorials

2016-10-29, 839👍, 0💬