Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

OpenSSL Generate CSR non-interactive

Published: 09-02-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over seven years old. It may no longer be up to date. Opinions may have changed.

This is a short command to generate a CSR (certificate signing request) with openssl without being prompted for the values which go in the certificate's Subject field.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

When you use OpenSSL to generate a CSR and a private key you use the following command:

openssl req -nodes -newkey rsa:2048 -keyout private.key -out CSR.csr

This is the output:

Generating a 2048 bit RSA private key
.................................................................+++
.......................................................................+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:ssl.raymii.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You can see that you have to fill in a lot of data during the generation. If you do not want that, maybe because you are using a script to generate a lot of CSR's and private keys, you use the following command. It does the same as the above command, but it has all the data in it:

openssl req -nodes -newkey rsa:2048 -keyout private.key -out CSR.csr -subj "/C=NL/ST=Zuid Holland/L=Rotterdam/O=Sparkling Network/OU=IT Department/CN=ssl.raymii.org"

This is the output:

Generating a 2048 bit RSA private key
.......+++
..............................................................................................................................................+++
writing new private key to 'private.key'
-----

This is what the -subj option does:

You can also give a /serialNumber=0123456 with the above option. This is NOT the serial number the issuing Certificate Authority (CA) will use, but a way to give extra information to a certificate. If you have a CN for John Doe, and another one, the serialNumber field can be used to distinguish John Doe 1 from John Doe 2's certificate. Click here for more info.

Tags: certificates , csr , openssl , pki , private-key , public-key , snippets , ssl