OpenSSL generating .cnf from windows bat script, error: no objects specified in config file

certificate-authorityopenssl

I'm a little stuck trying to generate certificates against a windows 2012R2 AD CS CA using openSSL.

My bat script asks for some inputs and uses them to generate a .cnf file for that specific request. When i run the script and open the .cnf file i see the following which all appears correct:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = Michigan
localityName               = Detroit
organizationName           = LEI
commonName                 = nas.lei.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = nas.lei.com
DNS.2 = 192.168.1.15
DNS.3 =

So far so good, after the bat script generates this file it calls the following openSSL command:

openssl req -out TEMP/%_CNAME%.req -newkey rsa:2048 -nodes -keyout TEMP/%_CNAME%.key -config TEMP/%_CNAME%.cnf

OpenSSL does it's thing and starts to give me output as follows:

----
You are about to based to enter information that will be incorporated into your certificate request.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
US []:
Michigan []:
etc...

Here is where things go sideways. If i just enter through the fields accepting the default values from the .cnf file, i get the following: 

error, no objects specified in config file. Problems making Certificate Request

Now, if i go back and don't just enter through my defaults, say i set the following:

US []: US

It then accepts my .cnf files, does not generate an error, but generates an invalid CSR, the only items that show up in the CSR in this case would be Country=US.

I can't sort this out, i thought it was an encoding issue but when i inspect the file in notepad++ it's UTF-8 encoded. Anyone have any suggestions?

Here is the section of the bat scripting that genetrates the .cnf file:

REM Create .cnf file
@echo off
@echo [ req ]> TEMP/%_CNAME%.cnf
@echo default_bits       = 2048>> TEMP/%_CNAME%.cnf
@echo distinguished_name = req_distinguished_name>> TEMP/%_CNAME%.cnf
@echo req_extensions     = req_ext>> TEMP/%_CNAME%.cnf
@echo [ req_distinguished_name ]>> TEMP/%_CNAME%.cnf
@echo countryName                 = US>> TEMP/%_CNAME%.cnf
@echo stateOrProvinceName         = Michigan>> TEMP/%_CNAME%.cnf
@echo localityName               = Detroit>> TEMP/%_CNAME%.cnf
@echo organizationName           = LEI>> TEMP/%_CNAME%.cnf
@echo commonName                 = %_DNS%>> TEMP/%_CNAME%.cnf
@echo [ req_ext ]>> TEMP/%_CNAME%.cnf
@echo subjectAltName = @alt_names>> TEMP/%_CNAME%.cnf
@echo [alt_names]>> TEMP/%_CNAME%.cnf
@echo DNS.1 = %_DNS%>> TEMP/%_CNAME%.cnf
@echo DNS.2 = %_DNS2%>> TEMP/%_CNAME%.cnf
@echo DNS.3 = %_DNS3%>> TEMP/%_CNAME%.cnf

Best Answer

The parameters you used are prompts, they are defined as following, and you could keep them at these values:

countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
commonName                      = Common Name (eg, your name or your server\'s hostname)

You should rename these parameters:

countryName                 = US
stateOrProvinceName         = Michigan
localityName               = Detroit
organizationName           = LEI
commonName                 = nas.lei.com

Into:

countryName_default             = US
stateOrProvinceName_default     = Michigan
localityName_default            = Detroit
0.organizationName_default      = LEI
commonName_default              = nas.lei.com

Find openssl.cnf in your system and review it:

Related Topic