openssl "unable to find 'distinguished_name' in config"

Near as I can tell, -config is overriding some sort of internal config; if you see the "EXAMPLES" section for the man page for openssl req, it shows an example of a config file with distinguished_name in it. On a hunch, I added the following to my config:

[req]
…
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

Thus, my entire config looked something like

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.*.${DOMAIN}

(Note that here, ${DOMAIN} is not literal; you should replace it with your DNS domain name; I create this file in a bash script with cat >"$OPTIONS_FILE" <<EOF, followed by the above, followed by EOF)

openssl req … -subj <my subject> -config <that file> … then took my subject from the command line. For those interested, the entire command ended up looking like:

openssl req -new \
    -key "$PRIVATE_KEY" \
    -sha256 \
    -config "$OPTIONS_FILE" \
    -subj "/C=US/ST=California/L=San Francisco/O=My Company, Inc./CN=*.*.$DOMAIN/" \
    -out "$CSR_FILENAME"

As of this posting, my understanding is that SHA-1 is deprecated¹ for X.509 certs, hence -sha256 (which is an undocumented flag…), and subjectAltName is becoming required², hence the need for the config. The only additional gotcha that I know of in order to generate a best-practice CSR to the above is that you should use a RSA key size of at least 2048 bits (if you're using RSA, which I am); you must specify the size to the openssl genrsa command as the current default is insecure.

¹While not broken at the time I'm writing this, people feel that it is only a matter of time. See "Gradually sunsetting SHA1"
²Using CN for the domain-name is no longer recommended; I'm not sure when/if browsers are planning to deprecate this. "Move away from including and checking strings that look like domain names in the subject's Common Name.", RFC 6125
Note: I am less certain about the "correct" value of keyUsage.


I had the same problem and found the response here:

https://www.citrix.com/blogs/2015/04/10/how-to-create-a-csr-for-a-san-certificate-on-netscaler/

The config file looks like this:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = www.company.net 
DNS.4 = company.net

And then:

openssl req -new -key private.key -sha256 -nodes -config openssl.conf -out certificate.csr

For me this error seem to be caused by incorrect path creation when running the command in Windows Server 2012, C:\OpenSSL-Win32\bin

openssl req -new -sha256 -key private.pem -out example.csr

which output a non-blocking error before asking for pass phare:

Can't open C:\Program Files (x86)\Common Files\SSL/openssl.cnf for reading, No s uch file or directory

Clearly, the path is invalid because of the wrong slash, so config file must be explicitly appended in the command line:

openssl req -new -sha256 -key private.pem -config openssl.cfg -out example.csr

Tags:

Openssl

Recent Posts