Troubleshooting “Unknown Option” Errors in OpenSSL Certificate Generation on macOS with XAMPP


1 views

When attempting to generate SSL certificates using OpenSSL through XAMPP on macOS, many developers encounter puzzling "unknown option" errors even when using valid OpenSSL commands. The issue typically manifests when running commands like:

openssl req –new –nodes -key privkey.key –out server.csr

The error message might claim "-new" or "-out" are unknown options, despite these being standard OpenSSL parameters.

This issue typically stems from one of these three scenarios:

  1. Character encoding problems: The commands may contain "smart quotes" or en-dashes (–) instead of standard hyphens (-)
  2. Path configuration issues: XAMPP's OpenSSL may not be properly linked or configured
  3. Command syntax errors: Improper ordering or spacing of parameters

First, check which OpenSSL version you're using:

which openssl
openssl version

If it points to XAMPP's installation, you might want to try using the system OpenSSL instead:

/usr/bin/openssl version

Here are verified commands that work with XAMPP's OpenSSL on macOS:

# Generate private key
openssl genrsa -des3 -out privkey.key 2048

# Generate CSR (pay attention to hyphen characters)
openssl req -new -nodes -key privkey.key -out server.csr -config /Applications/XAMPP/xamppfiles/share/openssl/openssl.cnf

If you continue experiencing issues, consider using the system OpenSSL instead:

# Using system OpenSSL
/usr/bin/openssl req -new -nodes -key privkey.key -out server.csr
  • Copy-pasting commands from webpages may introduce non-ASCII hyphens
  • Ensure there's no space between the hyphen and parameter name
  • Verify file permissions on your key files
  • Confirm the openssl.cnf file exists at the specified path

For more complex certificate needs, consider this extended example:

openssl req -new -sha256 \
    -key privkey.key \
    -out server.csr \
    -config /Applications/XAMPP/xamppfiles/share/openssl/openssl.cnf \
    -subj "/C=US/ST=California/L=San Francisco/O=Your Company/OU=IT Department/CN=yourdomain.com"

Many developers encounter this specific OpenSSL error when copy-pasting commands from documentation or tutorials. The root cause often lies in hidden character encoding issues:

# What you think you're typing (ASCII hyphens)
openssl req -new -nodes -key privkey.key -out server.csr

# What might actually be in your command (en-dashes)
openssl req –new –nodes -key privkey.key –out server.csr

Here's the correct sequence with ASCII hyphens (-) instead of typographic dashes (–):

# Generate private key (works correctly)
openssl genrsa -des3 -out privkey.key 2048

# Generate CSR (corrected version)
openssl req -new -nodes -key privkey.key -out server.csr

While the -config parameter isn't strictly necessary for basic CSR generation, if you need to specify one, place it right after the 'req' subcommand:

openssl req -config /path/to/openssl.cnf \
  -new \
  -nodes \
  -key privkey.key \
  -out server.csr

To ensure you're using the expected OpenSSL version (particularly important on macOS with its built-in LibreSSL):

# Check OpenSSL version
openssl version

# Alternative using full path (common with XAMPP)
/Applications/XAMPP/xamppfiles/bin/openssl version

Here's a full workflow including subject DN specification:

# 1. Generate encrypted private key
openssl genrsa -aes256 -out private.key 2048

# 2. Generate CSR (non-interactive version)
openssl req -new \
  -key private.key \
  -out request.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Your Company/CN=yourdomain.com"
  • Type commands manually instead of copy-pasting
  • Check for hidden whitespace characters
  • Try the basic command without any -config parameter first
  • Verify file permissions on your .key file
  • Test with both your XAMPP OpenSSL and system OpenSSL