Automated certificate creation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Automated certificate creation

Urjit Gokhale
Hi,
 
while creating certificate requests using openssl, one is prompted for some information like Country name, Sate, Locality name etc.
Though these parameters have defaults set, one has to hit return to move ahead.
 
Is there a way to achieve this without being prompted for any information (either by using default values, or making the appropriate values in some file) ?
I believe this can be done through some script, but I was just wondering if such a script already exists.
Any hint towards achieving this will be highly appreciated.
 
thank you,
~ Urjit

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.

Reply | Threaded
Open this post in threaded view
|

Re: Automated certificate creation

Marek.Marcola
Hello,

>
> while creating certificate requests using openssl, one is prompted for
> some information like Country name, Sate, Locality name etc.
> Though these parameters have defaults set, one has to hit return to
> move ahead.
>  
> Is there a way to achieve this without being prompted for any
> information (either by using default values, or making the appropriate
> values in some file) ?
> I believe this can be done through some script, but I was just
> wondering if such a script already exists.
> Any hint towards achieving this will be highly appreciated.
"-batch" option ?

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Automated certificate creation

Bear Giles
In reply to this post by Urjit Gokhale
> Hi,
>
> while creating certificate requests using openssl, one is prompted for
> some information like Country name, Sate, Locality name etc.
> Though these parameters have defaults set, one has to hit return to move
> ahead.
>
> Is there a way to achieve this without being prompted for any information
> (either by using default values, or making the appropriate values in some
> file) ?
> I believe this can be done through some script, but I was just wondering
> if such a script already exists.
> Any hint towards achieving this will be highly appreciated.

I haven't worked with this recently, but if you had the default

 country_default=ZZ

then you could actually set it, not just default it, with

 country_value=ZZ

in the config file.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Automated certificate creation

Carlo Milono
In reply to this post by Urjit Gokhale

I made a “self-serve” model with a simple form POST and a script – I received four input parameters and assembled a text file and passed the parameters to the script:

 

REM set the basic configuration parameters

set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf

REM %1 is emailAddress, %2 is password, %3 is Friendly Name, %4 is PID

set PASS=%2

 

REM make a request for 1024-bit RSA signed by SHA1 using inputs from  user-specific attributes.txt - no prompting

openssl req -newkey rsa:1024 -sha1 -keyout %4-Key.pem -keyform PEM -out %4-Req.pem -outform PEM -config %1.txt -batch -verbose

 

REM sign the request

openssl ca -md sha1 -in %4-Req.pem -out %4-Cert.pem -key password -batch

 

REM make the certificate into PKCS#12 format with the full chain using Priv Key and Export passwords assigned to env var $PASS or %PASS%

openssl pkcs12 -aes128 -chain -export -in %4-Cert.pem -out %1.p12 -inkey %4-Key.pem -CAfile cacert.pem -name %3 -passin env:PASS -passout env:PASS

 

Sample attributes.txt file:

[ req ]

  default_bits           = 1024

  default_keyfile        = keyfile.pem

  distinguished_name     = req_distinguished_name

  attributes             = req_attributes

  prompt                 = no

output_password = gue$sth1sOne!

[ req_distinguished_name ]

  C                      = US

  ST                     = CA

  L                      = Palo Alto

  O                      = Macrowidgets Inc.

  OU                     = Engineering

CN = Jack Sprat

emailAddress = [hidden email]

[ req_attributes ]

  challengePassword      = gue$sth1sOne!

 


From: owner-[hidden email] [mailto:owner-[hidden email]] On Behalf Of Urjit Gokhale
Sent: Wednesday, August 08, 2007 6:11 AM
To: [hidden email]
Subject: Automated certificate creation

 

Hi,

 

while creating certificate requests using openssl, one is prompted for some information like Country name, Sate, Locality name etc.

Though these parameters have defaults set, one has to hit return to move ahead.

 

Is there a way to achieve this without being prompted for any information (either by using default values, or making the appropriate values in some file) ?

I believe this can be done through some script, but I was just wondering if such a script already exists.

Any hint towards achieving this will be highly appreciated.

 

thank you,

~ Urjit

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.

Reply | Threaded
Open this post in threaded view
|

RE: Automated certificate creation

Smith, Ryan-P56787
In reply to this post by Urjit Gokhale
Here is an OpenSSL command that I have had success with this in the past.
 
openssl req -new -out certreq.pem -subj '/C=US/ST=Arizona/L=City/O=Organization/CN=My Common Name' -passout pass:password
 
Of course this certificate request needs to be signed by the CA to become a valid certificate
 
openssl ca -batch -keyfile cakey.pem -cert cacert.pem -key password -out cert.pem -infiles certreq.pem
 
Note: The use of the -key option may not be a good idea, as it bares the Root Key password in cleartext.  Similarly, the use of the -passout option in the first command bares the new private key password (corresponding to the new certificate).  While this is not as big of deal as revealing the Root Key password, it is sitll a risk.  However, this method allows one to create a certificate without input on the command line.  Leaving either of these options out, OpenSSL will prompt you to type in the password.
 
Also, any options that are not explicitly set via command line options (key length and algorithm, message digest, etc...) will be obtained from the config file.  You can also go the other way with this and put all of the settings in the configuration file (passwords, subj, etc...).
 
Hope this helps.
 

Ryan G Smith
General Dynamics C4 Systems West (GDC4S West)
8220 E. Roosevelt
Scottsdale, AZ 85257
Office: (480) 441-0708
[hidden email]

This email message is for the sole use of the intended recipient(s) and may contain GDC4S confidential or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender by reply email and destroy all copies of the original message.

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Urjit Gokhale
Sent: Wednesday, August 08, 2007 6:11 AM
To: [hidden email]
Subject: Automated certificate creation

Hi,
 
while creating certificate requests using openssl, one is prompted for some information like Country name, Sate, Locality name etc.
Though these parameters have defaults set, one has to hit return to move ahead.
 
Is there a way to achieve this without being prompted for any information (either by using default values, or making the appropriate values in some file) ?
I believe this can be done through some script, but I was just wondering if such a script already exists.
Any hint towards achieving this will be highly appreciated.
 
thank you,
~ Urjit

DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.

Reply | Threaded
Open this post in threaded view
|

RE: Automated certificate creation

Smith, Ryan-P56787
In reply to this post by Urjit Gokhale
Here is an OpenSSL command that I have had success with this in the
past.
 
openssl req -new -out certreq.pem -subj
'/C=US/ST=Arizona/L=City/O=Organization/CN=My Common Name' -passout
pass:password
 
Of course this certificate request needs to be signed by the CA to
become a valid certificate
 
openssl ca -batch -keyfile cakey.pem -cert cacert.pem -key password -out
cert.pem -infiles certreq.pem
 
Note: The use of the -key option may not be a good idea, as it bares the
Root Key password in cleartext.  Similarly, the use of the -passout
option in the first command bares the new private key password
(corresponding to the new certificate).  While this is not as big of
deal as revealing the Root Key password, it is sitll a risk.  However,
this method allows one to create a certificate without input on the
command line.  Leaving either of these options out, OpenSSL will prompt
you to type in the password.
 
Also, any options that are not explicitly set via command line options
(key length and algorithm, message digest, etc...) will be obtained from
the config file.  You can also go the other way with this and put all of
the settings in the configuration file (passwords, subj, etc...).
 
Hope this helps.

Ryan G Smith


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Automated certificate creation

Urjit Gokhale
In reply to this post by Urjit Gokhale
Thank you everyone for your replies.
I will try them out and will get back to you again in case I have any more
questions.
Thanks a lot.

~ Urjit

----- Original Message -----
From: "Smith, Ryan-P56787" <[hidden email]>
To: <[hidden email]>
Sent: Wednesday, August 08, 2007 11:37 PM
Subject: RE: Automated certificate creation


Here is an OpenSSL command that I have had success with this in the
past.

openssl req -new -out certreq.pem -subj
'/C=US/ST=Arizona/L=City/O=Organization/CN=My Common Name' -passout
pass:password

Of course this certificate request needs to be signed by the CA to
become a valid certificate

openssl ca -batch -keyfile cakey.pem -cert cacert.pem -key password -out
cert.pem -infiles certreq.pem

Note: The use of the -key option may not be a good idea, as it bares the
Root Key password in cleartext.  Similarly, the use of the -passout
option in the first command bares the new private key password
(corresponding to the new certificate).  While this is not as big of
deal as revealing the Root Key password, it is sitll a risk.  However,
this method allows one to create a certificate without input on the
command line.  Leaving either of these options out, OpenSSL will prompt
you to type in the password.

Also, any options that are not explicitly set via command line options
(key length and algorithm, message digest, etc...) will be obtained from
the config file.  You can also go the other way with this and put all of
the settings in the configuration file (passwords, subj, etc...).

Hope this helps.

Ryan G Smith


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]