OpenSSL generating .cnf from windows bat script, error: no objects specified in config file

I’m a little stuck trying to generate certificates against a windows 2012R2 AD CS CA using openSSL.

My bat script asks for some inputs and uses them to generate a .cnf file for that specific request. When i run the script and open the .cnf file i see the following which all appears correct:

[ req ] default_bits       = 2048 distinguished_name = req_distinguished_name req_extensions     = req_ext [ req_distinguished_name ] countryName                 = US stateOrProvinceName         = Michigan localityName               = Detroit organizationName           = LEI commonName                 = [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = DNS.2 = DNS.3 =  

So far so good, after the bat script generates this file it calls the following openSSL command:

openssl req -out TEMP/%_CNAME%.req -newkey rsa:2048 -nodes -keyout TEMP/%_CNAME%.key -config TEMP/%_CNAME%.cnf 

OpenSSL does it’s thing and starts to give me output as follows:

---- You are about to based to enter information that will be incorporated into your certificate request. For some fields there will be a default value, If you enter '.', the field will be left blank. ---- US []: Michigan []: etc... 

Here is where things go sideways. If i just enter through the fields accepting the default values from the .cnf file, i get the following:

error, no objects specified in config file. Problems making Certificate Request 

Now, if i go back and don’t just enter through my defaults, say i set the following:

US []: US 

It then accepts my .cnf files, does not generate an error, but generates an invalid CSR, the only items that show up in the CSR in this case would be Country=US.

I can’t sort this out, i thought it was an encoding issue but when i inspect the file in notepad++ it’s UTF-8 encoded. Anyone have any suggestions?

Here is the section of the bat scripting that genetrates the .cnf file:

REM Create .cnf file @echo off @echo [ req ]> TEMP/%_CNAME%.cnf @echo default_bits       = 2048>> TEMP/%_CNAME%.cnf @echo distinguished_name = req_distinguished_name>> TEMP/%_CNAME%.cnf @echo req_extensions     = req_ext>> TEMP/%_CNAME%.cnf @echo [ req_distinguished_name ]>> TEMP/%_CNAME%.cnf @echo countryName                 = US>> TEMP/%_CNAME%.cnf @echo stateOrProvinceName         = Michigan>> TEMP/%_CNAME%.cnf @echo localityName               = Detroit>> TEMP/%_CNAME%.cnf @echo organizationName           = LEI>> TEMP/%_CNAME%.cnf @echo commonName                 = %_DNS%>> TEMP/%_CNAME%.cnf @echo [ req_ext ]>> TEMP/%_CNAME%.cnf @echo subjectAltName = @alt_names>> TEMP/%_CNAME%.cnf @echo [alt_names]>> TEMP/%_CNAME%.cnf @echo DNS.1 = %_DNS%>> TEMP/%_CNAME%.cnf @echo DNS.2 = %_DNS2%>> TEMP/%_CNAME%.cnf @echo DNS.3 = %_DNS3%>> TEMP/%_CNAME%.cnf 

What should be OpenSSL .cnf file equivalent of certreq .inf for S/MIME?

Currently I’m using certreq to prepare CSRs for S/MIME certificates. I want to move away from it and start using OpenSSL for key/CSR generation.

My .inf file looks like this:

[Version] Signature="$  Windows NT$  "  [NewRequest] RequestType=PKCS10 Subject="CN=$  name,O=$  org,L=$  loc,C=$  cc,E=$  email" KeyLength=2048 MachineKeySet=FALSE UseExistingKeySet=FALSE Exportable=TRUE ProviderName="Microsoft Enhanced Cryptographic Provider v1.0" ProviderType=1 KeySpec=1 KeyUsage=0xe0  [Extensions] = "{text}" _continue_ = "email=$  email&" 

I’d like to prepare equivalent OpenSSL .cnf file (so it results in CSR as similar as possible), but I’m kind of lost in myriad config options. Can someone more experienced with OpenSSL help?

The CSR will be used to obtain commercial S/MIME certificate.