OpenSSL: How to create a certificate with an empty subject DN?

14

3

Is it possible to create a PKCS#10 certificate request / X.509 certificate with the identifying information only in the subject alternate name attribute/extension? According to X.509 4.1.2.6 Subject, the subject can be empty for a certificate whose subject is not a CA as long as the subjectAltName is critical.

But when I use this config file with an empty distinguished_name section:

# request.config
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com

and commands

openssl genrsa 1024 > key.pem
openssl req -new -key key.pem -out req.pem -config request.config

OpenSSL complains:

error, no objects specified in config file
problems making Certificate Request

yonran

Posted 2012-11-30T01:46:06.193

Reputation: 482

Answers

11

This worked for me:

test-no-cn.cnf file

[req] 
default_bits       = 4096
encrypt_key        = no
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com,URI:http://example.com/,IP:192.168.7.1,dirName:dir_sect

[dir_sect]
C=DK
O=My Example Organization
OU=My Example Unit
CN=My Example Name

Generate the CSR

openssl req -new -newkey rsa:4096 -nodes -config test-no-cn.cnf -subj "/" -outform pem -out test-no-cn.csr -keyout test-no-cn.key

Sign the CSR

openssl x509 -req -days 365 -in test-no-cn.csr -signkey test-no-cn.key -out test-no-cn.crt -outform der -extensions v3_req -extfile test-no-cn.cnf

View the resulting certificate

openssl x509 -inform der -in test-no-cn.crt -noout -text

bpawlak

Posted 2012-11-30T01:46:06.193

Reputation: 126

8

I also ran into this "no objects specified" error. It was displaying a prompt like this for various fields:

US []:

And I was just pressing enter because I had already set these values in the .cnf file. It turns out I needed to type all the values again, and then it worked.

Oran Dennison

Posted 2012-11-30T01:46:06.193

Reputation: 181

I had to do the same. Despite putting values in the config file, it still prompted me for all the DN components again. I had to repeat them, but it worked at least. – Nate W. – 2014-09-03T17:50:14.730

3This is because the config file did not actually contain default values. C = US means that the "prompt" for C is "US", not the default value. Instead, the file should contain C = Country and C_default = US. – jordanbtucker – 2014-10-14T22:55:21.823

5Oh, and that's only if prompt = yes [or blank]. If prompt = no then C = US would mean "US" is the default value. – jordanbtucker – 2014-10-14T23:06:23.387

3

The problem is with prompt = no in the original config. That makes openssl req assume you intend to specify subject entries in the config file and hits a preliminary check in req.c.

There's a workaround: Remove prompt = no, and instead add -subj / to your openssl req command line. Here's an example script that produces both a CSR and a self-signed certificate:

cat > openssl.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com
EOF
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -out req.csr
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -x509 -out cert.crt

jsha

Posted 2012-11-30T01:46:06.193

Reputation: 181

2

Try "commonName = optional" in policy sections in openssl configuration file.

Artem

Posted 2012-11-30T01:46:06.193

Reputation: 21

1

It seems you enter any single one value from '"distinguished_name" group from your keyboard and it works fine...I mean you do not need to enter other values and can use their default(as mentioned in openssl.conf file) that said 

[ req ]
...
distinguished_name = req_distinguished_name
prompt = no
...

Should work fine.

hardeep

Posted 2012-11-30T01:46:06.193

Reputation: 11

Asked: 2012-11-30T01:46:06.193

Viewed: 28 465 times

Active: 2017-03-16T21:18:16.977