OpenSSL defaults for certificate generation
October 19, 2009,
OpenSSL deliberately provides rather useless defaults when certificates are generated. Here's one way of saving yourself some typing when you're frequently confronted with this chore.
We routinely generate self-signed certificates for applications we run for our customers, and for our own systems and projects. Since these typically have limited audiences that are easily instructed, self-signed certificates are a cheap way of increasing security. The problem is that maintaining numerous certificates becomes a bit of a drag, when each time a certificate is added or replaced, information on the issuer of the certificate needs to be entered. Most often, but not always, we put our company information in the certificates, so that our customers know who to contact with problems and questions. Fortunately, there is a simple way of providing defaults to the certificate parameters.
On the system you're generating your certificates on, look for a file named openssl.cnf. On an Ubuntu Jaunty Jackalope, it's in /etc/ssl, on a CentOS 4 it's in /usr/share/ssl, and on a CentOS 5 it's in /etc/pki/tls, so you might have to hunt around for it. Once you've located it, open it in your favorite editor. You'll need root privileges for that. In the file, look for a section named [ req_distinguished_name ]. It will look something like this:
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = GB countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Berkshire localityName = Locality Name (eg, city) localityName_default = Newbury 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My Company Ltd # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (eg, your name or your server's hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3
As you may have guessed, the trick is to replace the default values with something that is more representative of your organisation. These will then be prompted as the defaults when you request (as in openssl req) a certificate, so that you can just press 'enter' to confirm, but you still have the option to enter another value. You can also entirely eliminate a field from the process by outcommenting the variable, such as is done here with 1.organizationName. Note that this will also mean that the information will not be part of any certificate you generate.