OpenSSL defaults for certificate generation

Joor Loohuis, October 19, 2009, 19594 views.

OpenSSL deliberately provides rather useless defaults when certificates are generated. Here's one way of saving yourself some typing when you're frequently confronted with this chore.

Tags: , , ,

We routinely generate self-signed certificates for applications we run for our customers, and for our own systems and projects. Since these typically have limited audiences that are easily instructed, self-signed certificates are a cheap way of increasing security. The problem is that maintaining numerous certificates becomes a bit of a drag, when each time a certificate is added or replaced, information on the issuer of the certificate needs to be entered. Most often, but not always, we put our company information in the certificates, so that our customers know who to contact with problems and questions. Fortunately, there is a simple way of providing defaults to the certificate parameters.

On the system you're generating your certificates on, look for a file named openssl.cnf. On an Ubuntu Jaunty Jackalope, it's in /etc/ssl, on a CentOS 4 it's in /usr/share/ssl, and on a CentOS 5 it's in /etc/pki/tls, so you might have to hunt around for it. Once you've located it, open it in your favorite editor. You'll need root privileges for that. In the file, look for a section named [ req_distinguished_name ]. It will look something like this:

 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 countryName_default             = GB
 countryName_min                 = 2
 countryName_max                 = 2
 stateOrProvinceName             = State or Province Name (full name)
 stateOrProvinceName_default     = Berkshire
 localityName                    = Locality Name (eg, city)
 localityName_default            = Newbury
 0.organizationName              = Organization Name (eg, company)
 0.organizationName_default      = My Company Ltd
 # we can do this but it is not needed normally :-)
 #1.organizationName             = Second Organization Name (eg, company)
 #1.organizationName_default     = World Wide Web Pty Ltd
 organizationalUnitName          = Organizational Unit Name (eg, section)
 #organizationalUnitName_default =
 commonName                      = Common Name (eg, your name or your server's hostname)
 commonName_max                  = 64
 emailAddress                    = Email Address
 emailAddress_max                = 64
 # SET-ex3                       = SET extension number 3

As you may have guessed, the trick is to replace the default values with something that is more representative of your organisation. These will then be prompted as the defaults when you request (as in openssl req) a certificate, so that you can just press 'enter' to confirm, but you still have the option to enter another value. You can also entirely eliminate a field from the process by outcommenting the variable, such as is done here with 1.organizationName. Note that this will also mean that the information will not be part of any certificate you generate.

Social networking: Tweet this article on Twitter Pass on this article on LinkedIn Bookmark this article on Google Bookmark this article on Yahoo! Bookmark this article on Technorati Bookmark this article on Delicious Share this article on Facebook Digg this article on Digg Submit this article to Reddit Thumb this article up at StumbleUpon Submit this article to Furl


respond to this article

Re: OpenSSL defaults for certificate generation (Klaas van Gend, 2009-10-20 08:27 CEST)
On Opensuse 11.1, it's also /etc/ssl/openssl.cnf .