Automation question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Automation question

McCann, Brian
Hi all...I'm new to the list and for the most part OpenSSL as well...so
sorry if I use the wrong terminology.  I've searched the list archives,
as well as Google, and cannot figure this out.  I'm trying to create a
CA certificate, as well as certificates for users using a script (called
from a web browser).  For the life of me, I cannot figure out how to
send the "openssl req" and "openssl ca" command the answers to the
questions it needs (O,OU,State,etc) through a text file or std in...I'm
sure this is possible...I just can't find how!  Any help would be
greatly appreciated!
 
Thanks,
--Brian McCann
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Automation question

Oliver Leitner-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

McCann, Brian wrote:
| Hi all...I'm new to the list and for the most part OpenSSL as well...so
| sorry if I use the wrong terminology.  I've searched the list archives,
| as well as Google, and cannot figure this out.  I'm trying to create a
| CA certificate, as well as certificates for users using a script (called
| from a web browser).  For the life of me, I cannot figure out how to
| send the "openssl req" and "openssl ca" command the answers to the
| questions it needs (O,OU,State,etc) through a text file or std in...I'm
| sure this is possible...I just can't find how!  Any help would be
| greatly appreciated!
|
| Thanks,
| --Brian McCann
|
|
| ______________________________________________________________________
| OpenSSL Project                                 http://www.openssl.org
| User Support Mailing List                    [hidden email]
| Automated List Manager                           [hidden email]
|
|

you could use the system(); command from php for one, on the other hand,
you may want to try to run some background cgi....

theres plenty of ways to call commands from a webpage...

Greetings
Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFDC3k1WvEVE8MtwbgRA16OAJ41+DRFBmaV66EaN6UHS9OG04sCHwCeOmuD
7OqljNR/y5f2LM8swOueUpY=
=PUlt
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Automation question

Thomas J. Hruska
Oliver Leitner wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> McCann, Brian wrote:
> | Hi all...I'm new to the list and for the most part OpenSSL as well...so
> | sorry if I use the wrong terminology.  I've searched the list archives,
> | as well as Google, and cannot figure this out.  I'm trying to create a
> | CA certificate, as well as certificates for users using a script (called
> | from a web browser).  For the life of me, I cannot figure out how to
> | send the "openssl req" and "openssl ca" command the answers to the
> | questions it needs (O,OU,State,etc) through a text file or std in...I'm
> | sure this is possible...I just can't find how!  Any help would be
> | greatly appreciated!
> |
> | Thanks,
> | --Brian McCann
> |
> |
> | ______________________________________________________________________
> | OpenSSL Project                                 http://www.openssl.org
> | User Support Mailing List                    [hidden email]
> | Automated List Manager                           [hidden email]
> |
> |
>
> you could use the system(); command from php for one, on the other hand,
> you may want to try to run some background cgi....
>
> theres plenty of ways to call commands from a webpage...
>
> Greetings
> Oliver

That didn't answer the OP's question.  You should specify what platform
you are working under.  Under Windows, using stdin to fill in the fields
is difficult (if not impossible) because the password field does not use
stdin but rather the Console APIs.

Personally, I think there should be a command-line option to define
those fields in a URL-encoded format.  That would go a long way to
eliminating the .cnf files, which, under Windows, are considered to be a
special file type such that they can't be opened in notepad very easily.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Automation question

McCann, Brian
In reply to this post by McCann, Brian
In reply to you both, the PHP part I got down..that's not the problem.
It's what to tell openssl to do.  I'm trying now to make a cnf file to
make a CA without prompting, then to make a certificate req and sign it
without prompting...at least now I know I'm in the right direction.

Thanks!
--Brian

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Thomas J. Hruska
Sent: Tuesday, August 23, 2005 15:59
To: [hidden email]
Subject: Re: Automation question

Oliver Leitner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> McCann, Brian wrote:
> | Hi all...I'm new to the list and for the most part OpenSSL as
well...so
> | sorry if I use the wrong terminology.  I've searched the list
archives,
> | as well as Google, and cannot figure this out.  I'm trying to create
a
> | CA certificate, as well as certificates for users using a script
(called
> | from a web browser).  For the life of me, I cannot figure out how to
> | send the "openssl req" and "openssl ca" command the answers to the
> | questions it needs (O,OU,State,etc) through a text file or std
in...I'm
> | sure this is possible...I just can't find how!  Any help would be
> | greatly appreciated!
> |
> | Thanks,
> | --Brian McCann
> |
> |
> |
______________________________________________________________________
> | OpenSSL Project
http://www.openssl.org
> | User Support Mailing List
[hidden email]
> | Automated List Manager
[hidden email]
> |
> |
>
> you could use the system(); command from php for one, on the other
hand,
> you may want to try to run some background cgi....
>
> theres plenty of ways to call commands from a webpage...
>
> Greetings
> Oliver

That didn't answer the OP's question.  You should specify what platform
you are working under.  Under Windows, using stdin to fill in the fields

is difficult (if not impossible) because the password field does not use

stdin but rather the Console APIs.

Personally, I think there should be a command-line option to define
those fields in a URL-encoded format.  That would go a long way to
eliminating the .cnf files, which, under Windows, are considered to be a

special file type such that they can't be opened in notepad very easily.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Automation question

Brian DeGeeter
In reply to this post by McCann, Brian
You need to set the cnf so it won't prompt.


Here's a little excerpt from a shell script:

cat <<@eof >$CONFFILE
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = WA
L = Yadda
O = Yadda
OU = Chain One
CN = chain-one.dig.net
emailAddress = [hidden email]
[extend] # openssl extensions
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always
#basicConstraints = critical,CA:true
#keyUsage = keyCertSign,cRLSign
#nsCertType = sslCA,emailCA,objCA
#certificatePolicies = ia5org,@policy
[policy]
@eof

echo 01 >$SNUMFILE

$OPENSSL req -config $CONFFILE \
    -newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \
    -CAserial $SNUMFILE -days 364 -passin pass:yadda \
    -CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of McCann, Brian
Sent: Tuesday, 23 August, 2005 1:00 PM
To: [hidden email]
Subject: RE: Automation question

In reply to you both, the PHP part I got down..that's not the problem.
It's what to tell openssl to do.  I'm trying now to make a cnf file to
make a CA without prompting, then to make a certificate req and sign it
without prompting...at least now I know I'm in the right direction.

Thanks!
--Brian

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Thomas J. Hruska
Sent: Tuesday, August 23, 2005 15:59
To: [hidden email]
Subject: Re: Automation question

Oliver Leitner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> McCann, Brian wrote:
> | Hi all...I'm new to the list and for the most part OpenSSL as
well...so
> | sorry if I use the wrong terminology.  I've searched the list
archives,
> | as well as Google, and cannot figure this out.  I'm trying to create
a
> | CA certificate, as well as certificates for users using a script
(called
> | from a web browser).  For the life of me, I cannot figure out how to

> | send the "openssl req" and "openssl ca" command the answers to the
> | questions it needs (O,OU,State,etc) through a text file or std
in...I'm
> | sure this is possible...I just can't find how!  Any help would be
> | greatly appreciated!
> |
> | Thanks,
> | --Brian McCann
> |
> |
> |
______________________________________________________________________
> | OpenSSL Project
http://www.openssl.org
> | User Support Mailing List
[hidden email]
> | Automated List Manager
[hidden email]
> |
> |
>
> you could use the system(); command from php for one, on the other
hand,
> you may want to try to run some background cgi....
>
> theres plenty of ways to call commands from a webpage...
>
> Greetings
> Oliver

That didn't answer the OP's question.  You should specify what platform
you are working under.  Under Windows, using stdin to fill in the fields

is difficult (if not impossible) because the password field does not use

stdin but rather the Console APIs.

Personally, I think there should be a command-line option to define
those fields in a URL-encoded format.  That would go a long way to
eliminating the .cnf files, which, under Windows, are considered to be a

special file type such that they can't be opened in notepad very easily.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Automation question

prakash babu
Hi,
 
While creating self signed certificates and certificate requests use -subj to specify the
the subject name and -nodes for not prompting for password (private key will not be encrypted)
If you want the password to be encrypted generate the rsakey using genrsa command with -passout option and use this key to generate the certificate
 
While signing certificate requests using ca command use -batch option (In this mode no questions will be asked and all certificates will be certified automatically)
         
Try using the following script.
######################################################################
  
ssl_dir="usr/local/openssl"
if [ ! d $ssl_dir ]
then
        echo "OpenSSL not installed in $ssl_dir"
        exit 1
fi
cd $ssl_dir
#############
#Set up the CA
#############
echo "Create a self signed certificate for the CA"
openssl req -x509 -out $ssl_dir/bin/cacert.pem -new -keyout $ssl_dir/bin/cakey.pem  -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=prakash -nodes
 
echo "Set us the CA using the CA.pl script"
echo "$ssl_dir/bin/cacert.pem" | $ssl_dir/misc/CA.pl -newca
 
echo "Copy the CA private key to the private directory"
cp $ssl_dir/bin/cakey.pem $ssl_dir/demoCA/private/
 
###########################
#Generete Number of Requests
###########################
echo "Create  certificate request for user 1..\n"
openssl req -out cert_req_user1.pem -new -keyout priv_key_user1.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user1 -nodes
 
echo "Create certificate request for user 2..\n"
openssl req -out cert_req_user2.pem -new -keyout priv_key_user2.pem -subj /C=IN/ST=TamilNadu/L=Coimbatore/O=test/CN=user2 -nodes
 
#############################
#Issue Certificate
#############################
echo "Issue Certificate for the first user"
openssl  ca -in cert_req_user1.pem  -batch
echo "Issue Certificate for the secon user"
openssl  ca -in cert_req_user2.pem  -batch
 
######################################################################
regards,
Prakash

Brian DeGeeter <[hidden email]> wrote:
You need to set the cnf so it won't prompt.


Here's a little excerpt from a shell script:

cat <<@eof >$CONFFILE
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = WA
L = Yadda
O = Yadda
OU = Chain One
CN = chain-one.dig.net
emailAddress = [hidden email]
[extend] # openssl extensions
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always
#basicConstraints = critical,CA:true
#keyUsage = keyCertSign,cRLSign
#nsCertType = sslCA,emailCA,objCA
#certificatePolicies = ia5org,@policy
[policy]
@eof

echo 01 >$SNUMFILE

$OPENSSL req -config $CONFFILE \
-newkey rsa:2048 -passout pass:yadda -keyout inter.key.pem |
$OPENSSL x509 -req -sha1 -extfile $CONFFILE \
-CAserial $SNUMFILE -days 364 -passin pass:yadda \
-CA /root/ssl/file.crt -CAkey /root/ssl/file.key -out inter.cert.pem

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of McCann, Brian
Sent: Tuesday, 23 August, 2005 1:00 PM
To: [hidden email]
Subject: RE: Automation question

In reply to you both, the PHP part I got down..that's not the problem.
It's what to tell openssl to do. I'm trying now to make a cnf file to
make a CA without prompting, then to make a certificate req and sign it
without prompting...at least now I know I'm in the right direction.

Thanks!
--Brian

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Thomas J. Hruska
Sent: Tuesday, August 23, 2005 15:59
To: [hidden email]
Subject: Re: Automation question

Oliver Leitner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> McCann, Brian wrote:
> | Hi all...I'm new to the list and for the most part OpenSSL as
well...so
> | sorry if I use the wrong terminology. I've searched the list
archives,
> | as well as Google, and cannot figure this out. I'm trying to create
a
> | CA certificate, as well as certificates for users using a script
(called
> | from a web browser). For the life of me, I cannot figure out how to

> | send the "openssl req" and "openssl ca" command the answers to the
> | questions it needs (O,OU,State,etc) through a text file or std
in...I'm
> | sure this is possible...I just can't find how! Any help would be
> | greatly appreciated!
> |
> | Thanks,
> | --Brian McCann
> |
> |
> |
______________________________________________________________________
> | OpenSSL Project
http://www.openssl.org
> | User Support Mailing List
[hidden email]
> | Automated List Manager
[hidden email]
> |
> |
>
> you could use the system(); command from php for one, on the other
hand,
> you may want to try to run some background cgi....
>
> theres plenty of ways to call commands from a webpage...
>
> Greetings
> Oliver

That didn't answer the OP's question. You should specify what platform
you are working under. Under Windows, using stdin to fill in the fields

is difficult (if not impossible) because the password field does not use

stdin but rather the Console APIs.

Personally, I think there should be a command-line option to define
those fields in a URL-encoded format. That would go a long way to
eliminating the .cnf files, which, under Windows, are considered to be a

special file type such that they can't be opened in notepad very easily.

--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/

Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]

__________________________________________________
D o You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com