Openssl error in req

Ошибка при создании сертификата SSL

Доброго времени суток всем.

Подскажите, пожалуйста, по такому вопросу. Имеется crm (на nginx), работающая только внутри корпоративной сети. На сервере сформированы CA сертификаты, аж до 2023 года. А вот сертификат для сайта подписали всего на год (притом истек он год назад). Встала задача обновить сертификаты для сайта, а вот человек, который в прошлый раз это делал уже давно тут не работает. Ну, решил попробовать разобраться. Пытался идти двумя путями и в обоих случаях уперся в тупик (это были два разных тупика, а значит где-то тут выход из лабиринта должен быть).

Для начала я решил попробовать заново сформировать .key .csr и .crt для сайта используя имеющийся корневой сертификат. Делал это следующим образом:

После чего проверил полученный сертификат и получил следующую ошибку:

Не придумал как победить и подумал, что у меня есть старые .key, .csr и .crt для сайта и, как я понимаю срок действия имеет только сам сертификат, т.е. это — .crt. И я решил попробовать сформировать сертификат используя уже имеющиеся ключ и запрос на получение сертификата. Попробовал двумя разными способами и получил одинаковый исход: Для начала попробовал с использованием корневого сертификата

Сертификат, на который веритификация ругалась, что он самоподписанный я пробовал подсовывать браузеру, но при открытии сайта все-равно получал сообщение, что сертификат не прошел проверку, т.к. он самоподписан.

Подскажите, куда можно копать для решения одной из проблем, а лучше обеих.


«error, no objects specified in config file» when creating CSR with ECDSA key & config file #3536


I’ve just been creating an ECDSA-keyed CSR using a config file and ran into what I think is a bug. If i just hit when prompted for e.g. Country Code (to accept the value in my config file) then i get an error and output:

The issue and solution (to re-enter the prompted-for values) is described here:

The same procedure works fine with an RSA-keyed CSR request so I suspect the issue may be a bug in the EC implementation of openssl req .

I’m using a homebrew-installed openssl on my Mac (Sierra, 10.2.3):

My config file is:

and i am running:

Hopefully that all makes sense. Please let me know if you need any more info, i search so i’m hoping this isn’t a dupe but apologies if it is.

The text was updated successfully, but these errors were encountered:

Neil — I just went through this same issue. While the command ran I was seeing prompts like «US []:» and I was just hitting enter because the values I wanted were in the file.

I added the line prompt=no to the [req] section and my request ran without error. like this:

Hope this helps!

Edited to add: I second Neil’s suggestion that this is a bug. It seems to me that hitting enter on those prompts should have caused the default values to be used.

Читайте также:  Php error notice undefined offset 1

This isn’t a bug. What happens when you just press Enter on all prompts where no default is given, you end up with an empty subject. That’s what the error complains about.

prompt = no is exactly the right way to handle things if you want to specify the DN entirely in the config file. Or, as suggested on, -subj on the command line.

Hi @levitte.
I take your point but I believe the UI is misleading and doesn’t fit well with the principal of least surprise. It appears to at least me (and others based on what I have seen via Googling) that pressing will use the value shown. Compounding that is a pretty unhelpful error message when the creation of the cert fails; worth noting that the behaviour differs between ECC and RSA-based certs. I personally believe this could be relatively easily tidied up (though i fully appreciate it’s not exactly earth-shattering in priority).

Does that make sense? I’d be interested to hear your thoughts on this.

In a way it makes sense. We do, however, expect people to read the manual, which says this re this business:

It’s not like we’re making it a mystery. I can understand, though, if it’s not particularly intuitive for those who haven’t read the manual.

I agree, though, that the error message isn’t the best (read: it’s actually quite bad). so that could change to something better.

Below worked for me, without creating any config.
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout «cert.key» -out «cert.pem» -subj «/»

It’s not like we’re making it a mystery.

The user experience is terrible. Fix it.

Jesus christ, I lost FOUR HOURS trying to add subject alternative name. Still NO GO.

Are you guys crazy?!

yeah i’m here on purpose and I can’t make heads or tails of whats going on. not great?

Just found this trying to find documentation for config file options.

This is awful, for anyone finding this, have a look at :
«Creating these config files, however, is not easy! «

I just ran into this again: (It’s very easy to forget about this little nuance unless you use these tools on a regular basis)

The message from the tool specifically says «For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.» which pretty clearly implies that hitting «enter» will use the default value that’s present in the config file, and that you have to enter a PERIOD to get a blank value if that’s what’s desired.

So this is either a bug in the behavior, or a bug in the displayed message. Either way I find it hard to accept the argument that this isn’t a bug. The behavior doesn’t match the message that’s presented to the user. So either the message or wrong, or the behavior is wrong. Which is it?

Below worked for me, without creating any config. openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout «cert.key» -out «cert.pem» -subj «/»

I did with config, but received an error. -subj «/» solved my problem.

Читайте также:  Что такое ultra dma crc error


© 2023 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.


certificate request file (.csr) is not generated by openSSL, why? #4598


I am new to openSSL. I need to create a .csr file from openSSL to order a new certificate to my win10 computer. I did following as below.

In the demo directory I dont see the «» file.

What did I do wrong?
Appreciate any help.

The text was updated successfully, but these errors were encountered:

I think you’ll find it in c:\ , because of the backslash in -out \

Hi levitte,
thanks a lot for your kind advice. However I couldn’t locate the file in c:. So I re ran the command so that the file is saved in demo.

cd \demo
set RANDFILE=c:\demo.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

OpenSSL> req -new -newkey rsa:2048 -keyout -out c:\demo\

Then I notice following files in c:\demo

.rnd 31/10/2017 9:49 AM RND file 31/10/2017 9:50 AM CSR file 31/10/2017 9.49 AM KEY file

As the final confirmation I need to do following to check if the .csr file is correct.
req -in c:\demo\ -text -noout

But then I get this error.
OpenSSL> req -in c:\demo\ -text -noout
problem creating object tsa_policy1=
7480:error:08064066:object identifier routines:OBJ_create:oid exists:crypto\objects\obj_dat.c:689:
error in req

Then I tried below as the .csr file don’t show that .csr
Then I get following error.
OpenSSL> req -in c:\demo\ -text -noout
req: Cannot open input file c:\demo\, No such file or directory
req: Use -help for summary.

I appreciate any advice for me to figure out what did I do wrong.


Error while generate a certificate signing request #338


I am facing issue while Generate a certificate signing request the below command is used,

openssl req -engine pkcs11 -new -key «pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456» -keyform engine -out /tmp/req.csr

openssl req -verbose -engine pkcs11 -new -key «pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=1
23456″ -keyform engine -out /tmp/req.csr
engine «pkcs11» set.
Using configuration from /usr/lib/ssl-1.1/openssl.cnf
Error: can’t open /var/run/openct/status: No such file or directory
Error: can’t open /var/run/openct/status: No such file or directory
Error: can’t open /var/run/openct/status: No such file or directory
Error: can’t open /var/run/openct/status: No such file or directory
Specified object not found
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3070050320:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862:
3070050320:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key. /openssl-1.1.1b/crypto/engine/eng_pkey.c:78:
unable to load Private Key
Error: can’t open /var/run/openct/status: No such file or directory
Error: can’t open /var/run/openct/status: No such file or directory

OpenSSL> req -engine pkcs11 -new -key «pkcs11:model=SLI9670;manufacturer=Infineon;token=greengrass;object=greenkey;type=private;pin-value=123456» -keyform engine -out /r
engine «pkcs11» set.
problem creating object tsa_policy1=
3069923344:error:08064066:object identifier routines:OBJ_create:oid exists. /openssl-1.1.1b/crypto/objects/obj_dat.c:698:
error in req


Can you pl guide us further here?

Читайте также:  An exception runtime error has occurred in script что это

The text was updated successfully, but these errors were encountered:


openssl «unable to find ‘distinguished_name’ in config»

I get the following error from openssl req :

My understanding is that this is the «Subject» that it can’t find… however, I am specifying that:

The manual’s only suggestion is that the config file doesn’t exist; I can cat «$OPTIONS_FILE» , so it’s definitely there, and the error isn’t preceded by the error the manual notes it would be preceded by if this were the case, so I’m pretty sure openssl sees the config file.

My config file contains the following:

What am I doing wrong here?

7 Answers 7

Near as I can tell, -config is overriding some sort of internal config; if you see the «EXAMPLES» section for the man page for openssl req, it shows an example of a config file with distinguished_name in it. On a hunch, I added the following to my config:

Thus, my entire config looked something like

(Note that here, $ is not literal; you should replace it with your DNS domain name; I create this file in a bash script with cat >»$OPTIONS_FILE» , followed by the above, followed by EOF )

openssl req … -subj -config … then took my subject from the command line. For those interested, the entire command ended up looking like:

As of this posting, my understanding is that SHA-1 is deprecated¹ for X.509 certs, hence -sha256 (which is an undocumented flag…), and subjectAltName is becoming required², hence the need for the config. The only additional gotcha that I know of in order to generate a best-practice CSR to the above is that you should use a RSA key size of at least 2048 bits (if you’re using RSA, which I am); you must specify the size to the openssl genrsa command as the current default is insecure.

¹While not broken at the time I’m writing this, people feel that it is only a matter of time. See «Gradually sunsetting SHA1»
²Using CN for the domain-name is no longer recommended; I’m not sure when/if browsers are planning to deprecate this. «Move away from including and checking strings that look like domain names in the subject’s Common Name.», RFC 6125
Note: I am less certain about the «correct» value of keyUsage .


Оцените статью