CODEWITHSUNDEEP
sslopenssl
Lev Kuznetsov
Lev Kuznetsov

Reputation: 3728

Is there anyway to specify basicConstraints for openssl cert via command line

I'd like to include a basicConstraints=CA:TRUE,pathlen:0 constraint in my self signed CA creation script and it would go a very long way to simplify my procedure if I didn't have to create a config file and all the folder structure of a proper CA.

I'm trying to create an intermediate cert that can only sign end certs, not further CAs. I will be using bouncycastle to sign all further certs, the folder structure I would need to create for a proper CA will not be used anyway.

Upvotes: 37

Views: 57586

Answers (2)

Andrew Siplas
Andrew Siplas

Reputation: 931

Adding basicConstraints without openssl.cnf

I couldn't see how to avoid using it entirely but using the default config and commenting out anything you set by commandline seems efficient enough.

Utilize -addext which can be used multiple times

Given an already-existing privkey.pem and with the caveat that e.g. /etc/ssl/openssl.cnf does not have conflicting instructions, the following seems to do it without the bashism.

DAYS='240'
SUBJECT='/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US'
SERIAL='0x1001'

openssl req \
    -addext basicConstraints=critical,CA:TRUE,pathlen:1 \
    -outform pem -out cacert.pem \
    -key privkey.pem -new -x509 \
    -days "${DAYS}" \
    -subj "${SUBJECT}" \
    -set_serial "${SERIAL}"

Upvotes: 36

Jim Flood
Jim Flood

Reputation: 8487

You do not need to create an OpenSSL configuration file, or any folder structure at all, to create a self-signed certificate using OpenSSL.

For example, here is what a minimal OpenSSL configuration file might contain to set the basic constraints extension as you ask:

[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0

And here I create a self-signed certificate using OpenSSL from a Bash shell with this "configuration file", only, it's not a file -- it's a shell variable:

CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"

openssl req -config <(echo "$CONFIG") -new -newkey rsa:2048 -nodes \
  -subj "/CN=Hello" -x509 -extensions ext -keyout key.pem -out crt.pem

Good luck!

Upvotes: 25

Related Questions