OpenSSL: How to create a certificate with an empty subject DN?
This worked for me:
test-no-cn.cnf file
[req]
default_bits = 4096
encrypt_key = no
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:[email protected],URI:http://example.com/,IP:192.168.7.1,dirName:dir_sect
[dir_sect]
C=DK
O=My Example Organization
OU=My Example Unit
CN=My Example Name
Generate the CSR
openssl req -new -newkey rsa:4096 -nodes -config test-no-cn.cnf -subj "/" -outform pem -out test-no-cn.csr -keyout test-no-cn.key
Sign the CSR
openssl x509 -req -days 365 -in test-no-cn.csr -signkey test-no-cn.key -out test-no-cn.crt -outform der -extensions v3_req -extfile test-no-cn.cnf
View the resulting certificate
openssl x509 -inform der -in test-no-cn.crt -noout -text
I also ran into this "no objects specified" error. It was displaying a prompt like this for various fields:
US []:
And I was just pressing enter because I had already set these values in the .cnf file. It turns out I needed to type all the values again, and then it worked.
The problem is with prompt = no in the original config. That makes openssl req assume you intend to specify subject entries in the config file and hits a preliminary check in req.c.
There's a workaround: Remove prompt = no, and instead add -subj / to your openssl req command line. Here's an example script that produces both a CSR and a self-signed certificate:
cat > openssl.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:[email protected]
EOF
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
-out req.csr
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
-x509 -out cert.crt