Skip to content

Complex CSRs with an OpenSSL command line wrapper

Using OpenSSL to generate keys and Certificate Signing Requests is easy, unless you want to control extended attributes like Subject Alternative Names. Until recently the only way to do it was to edit the config file being fed to OpenSSL. And in my experience, once you've done that, history is a series of losing the OpenSSL config file you created and having to Google around until you figure it out again.

While trying to figure out how to make this process easier for people I'm working with, I found some clever tricks described on Stack Exchange for feeding the config file in to OpenSSL using Bash Here Documents. The more I played with that, though, the more complex my rewriting of the OpenSSL config file became - until I decided to inline the entire config file to the script, write it on the fly, and use it to make OpenSSL config file options seamlessly available to the command line.

The result, one_genkey, is available on github for you to play with.


No Trackbacks


Display comments as Linear | Threaded

No comments

The author does not allow comments to this entry

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.