OpenSSL: How to create a certificate with an empty subject DN?

Question

Is it possible to create a PKCS#10 certificate request / X.509 certificate with the identifying information only in the subject alternate name attribute/extension? According to X.509 4.1.2.6 Subject, the subject can be empty for a certificate whose subject is not a CA as long as the subjectAltName is critical.

But when I use this config file with an empty distinguished_name section:

# request.config
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com

and commands

openssl genrsa 1024 > key.pem
openssl req -new -key key.pem -out req.pem -config request.config

OpenSSL complains:

error, no objects specified in config file
problems making Certificate Request

score 16 · Accepted Answer · answered Jul 23 '15 at 16:49

This worked for me:

test-no-cn.cnf file

[req] 
default_bits       = 4096
encrypt_key        = no
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com,URI:http://example.com/,IP:192.168.7.1,dirName:dir_sect

[dir_sect]
C=DK
O=My Example Organization
OU=My Example Unit
CN=My Example Name

Generate the CSR

openssl req -new -newkey rsa:4096 -nodes -config test-no-cn.cnf -subj "/" -outform pem -out test-no-cn.csr -keyout test-no-cn.key

Sign the CSR

openssl x509 -req -days 365 -in test-no-cn.csr -signkey test-no-cn.key -out test-no-cn.crt -outform der -extensions v3_req -extfile test-no-cn.cnf

View the resulting certificate

openssl x509 -inform der -in test-no-cn.crt -noout -text

Oran Dennison · Answer 2 · 2013-09-04T20:56:16.013

12

I also ran into this "no objects specified" error. It was displaying a prompt like this for various fields:

US []:

And I was just pressing enter because I had already set these values in the .cnf file. It turns out I needed to type all the values again, and then it worked.

edited Sep 04 '13 at 20:56

answered Sep 04 '13 at 20:50

Oran Dennison

221
2
5

score 4 · Answer 3 · answered Mar 16 '17 at 21:18

The problem is with prompt = no in the original config. That makes openssl req assume you intend to specify subject entries in the config file and hits a preliminary check in req.c.

There's a workaround: Remove prompt = no, and instead add -subj / to your openssl req command line. Here's an example script that produces both a CSR and a self-signed certificate:

cat > openssl.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:certtest@example.com
EOF
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -out req.csr
openssl req -newkey rsa:2048 -config openssl.cnf -nodes -new -subj "/" \
  -x509 -out cert.crt

score 3 · Answer 4 · answered Jan 18 '13 at 00:46

3

Try "commonName = optional" in policy sections in openssl configuration file.

answered Jan 18 '13 at 00:46

Artem

31

score 1 · Answer 5 · answered May 23 '15 at 06:59

It seems you enter any single one value from '"distinguished_name" group from your keyboard and it works fine...I mean you do not need to enter other values and can use their default(as mentioned in openssl.conf file) that said

[ req ]
...
distinguished_name = req_distinguished_name
prompt = no
...

Should work fine.

OpenSSL: How to create a certificate with an empty subject DN?

5 Answers5

test-no-cn.cnf file

Generate the CSR

Sign the CSR

View the resulting certificate