HowTo: Create CSR using OpenSSL Without Prompt (Non-Interactive)

In this article you’ll find how to generate CSR (Certificate Signing Request) using OpenSSL from the Linux command line, without being prompted for values which go in the certificate’s subject field.

Below you’ll find two examples of creating CSR using OpenSSL.

In the first example, i’ll show how to create both CSR and the new private key in one command.

And in the second example, you’ll find how to generate CSR from the existing key (if you already have the private key and want to keep it).

Both examples show how to create CSR using OpenSSL non-interactively (without being prompted for subject), so you can use them in any shell scripts.

Create CSR and Key Without Prompt using OpenSSL

Use the following command to create a new private key 2048 bits in size example.key and generate CSR example.csr from it:

$ openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Option Description
openssl req certificate request generating utility
-nodes if a private key is created it will not be encrypted
-newkey creates a new certificate request and a new private key
rsa:2048 generates an RSA key 2048 bits in size
-keyout the filename to write the newly created private key to
-out specifies the output filename
-subj sets certificate subject

Generate CSR From the Existing Key using OpenSSL

Use the following command to generate CSR example.csr from the private key example.key:

$ openssl req -new -key example.key -out example.csr -subj "/C=GB/ST=London/L=London/O=Global Security/OU=IT Department/CN=example.com"
Option Description
openssl req certificate request generating utility
-new generates a new certificate request
-key specifies the file to read the private key from
-out specifies the output filename
-subj sets certificate subject

Automated Non-Interactive CSR Generation

The magic of CSR generation without being prompted for values which go in the certificate’s subject field, is in the -subj option.

-subj arg Replaces subject field of input request with specified data and outputs modified request. The arg must be formatted as /type0=value0/type1=value1/type2=…, characters may be escaped by \ (backslash), no spaces are skipped.

The fields, required in CSR are listed below:

Field Meaning Example
/C= Country GB
/ST= State London
/L= Location London
/O= Organization Global Security
/OU= Organizational Unit IT Department
/CN= Common Name example.com

You’ve created encoded file with certificate signing request.

Now you can decode CSR to verify that it contains the correct information.

Was it useful? Share this post with the world!

32 Replies to “HowTo: Create CSR using OpenSSL Without Prompt (Non-Interactive)”

  1. Nice, thank you!

  2. Why not use a -config file instead? Rather than writing that cumbersome -subj string. It would be more readable and easier to correct.

    It’s in standard .ini format. Like so:

    [ req ]
    prompt = no
    default_bits = 4096
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    
    [ req_distinguished_name ]
    C=
    ST=
    L=
    O=
    OU=
    CN=
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = hostname.domain.tld
    DNS.2 = hostname
    IP.1 = 10.20.30.40
    

    You may need to adjust based on the capabilities of your signing CA.

  3. @Trey Because sometimes it is better to run just one command (especially when you want to automate stuff).

  4. your-boy-kitty says: Reply

    yeah, and then you dont need to manage some other file, like openssl.cnf. also, you can pull the command easily from history, and you cannot do that with the contents of a file.

  5. hi guys!
    everything above is great and works fine.
    but could you please help me with -days parameter in req routine? i’m gonna request a 10-years certificate, so i just set -days 3650 and… get 1-year cert from my CA instead!
    where should i dig? maybe the configuration of corresponding certificate template @CA supresses too long certificate’s lifetime requested?

    1. Hello,
      According to PKCS #10: Certification Request Syntax Specification there is no posibility to specify validity period in CSR. The -days option is used not for CSR but for certificate generation. If you run the following command against your CSR, you will see that it doesn’t carry information about validity period:

      $ openssl asn1parse <example.csr

      Check man req for more information.

  6. The validity period is set on the CA under the configuration of the certificate template. You request the certificate the CA determines the length the certificate will be valid.

  7. Hi, is there also an option for alt_names which works in the same way as -subj?

    1. Good question! How can we add SAN entries to the CSR?

    2. -addext “subjectAltName = DNS:foo.co.uk”

      1. Hmmm, that option is documented in the openssl man page, but does not seem to work actually. not sure if there is a way.

        1. Based on the openssl-req man page, -addext only works when -x509 is present, but that implies creation of a self-signed cert; perhaps not what you intend.

          Using environment variables in the config is supported with ${ENV::Name}, provided Name is exported beforehand, but it does entail use/maintenance of a file-based config. To avoid errors, defaults can be established (e.g., Name=something) at the top before any sections are declared.

          I’ve yet to mix -subj and -config in my own investigations, but will probably dive in soon.

  8. HI,
    How to add Email address E=test.example.com

    1. /emailAddress=sexi@mailinator.com

      in case some one else is looking for this

      1. thanks 🙂

  9. Hi,
    My client would like to automate CSRs for their 100+ apps ,could anyone tell how we can do that…thru script …if anyone pls share.

    THanks
    Hari

    1. Creating CSR,sending to CA,pulling the CSR and installing in APp\box,everything end to end need in automation script,pls.share if anyone having or help us.

      THanks
      hari

      1. I’ve written some Powershell to create all conf files (with SANs) and all CSRs with input as a csv – would that help?

          1. Can i have it too?

  10. for information /emailAddress= is case sensitive !

  11. How to pass /emailAddress as parameter ?

  12. Thanks to admin

  13. Marco Franssen says: Reply

    How do I provide alt_names using this commandline approach?

  14. How do I provide value for challenge password using this approach?

    1. Hi Prasanth,
      Did you find a way for this?

      1. Is there any news?

  15. SANTHOSH KUMAR MK says: Reply

    How pass Sign the certificate? [y/n]: in this case

  16. has any one did this automated in python by any chance and can share the script.

    1. I know that my answer ain’t helpful, but guys everything is laid out in the article. Just go read how to use os.system in Python and write that damn script on your own!

  17. Thanks

Leave a Reply