Skip to content

Complex CSRs with an OpenSSL command line wrapper

Using OpenSSL to generate keys and Certificate Signing Requests is easy, unless you want to control extended attributes like Subject Alternative Names. Until recently the only way to do it was to edit the config file being fed to OpenSSL. And in my experience, once you've done that, history is a series of losing the OpenSSL config file you created and having to Google around until you figure it out again.

While trying to figure out how to make this process easier for people I'm working with, I found some clever tricks described on Stack Exchange for feeding the config file in to OpenSSL using Bash Here Documents. The more I played with that, though, the more complex my rewriting of the OpenSSL config file became - until I decided to inline the entire config file to the script, write it on the fly, and use it to make OpenSSL config file options seamlessly available to the command line.

The result, one_genkey, is available on github for you to play with.